clockworkpi

Shadow's Terminal: AP, IRC, Webserver

Introduction

This is more of a guide or more or less a set of instructions on how to setup a Gameshell with the ability to:

But…

  • If you don’t want to compile your own kernel, I’ve posted the one I’ve compiled and am using here:
    EDIT: Sorry guys it looks like I forgot to turn on something for hostapd! You will need the authenticator dependency in your kernel!

If those things don’t sound appealing to you, then maybe this guide isn’t for you…


IMPORTANT!

This guide will generally assume that you are working from the /home/cpi directory. Please note that I may have forgotten a step or two, most of these commands are tested but PLEASE do your own research before carelessly entering any commands and you will be required to have a little common sense. I am not liable for how you interpret or use this information and am not responsible for any loss of data. I will be referencing other sources of data/packages some of which provided by the community here.

There’s also good reference material that can be found at linuxfromscratch.org regarding kernel references for iptables and bridge-utils. There were a few other components that I’ve turned on that weren’t based on explicit instructions to do so such as enabling IP masquerading which is required if we’re to resubmit wireless traffic back to our main wifi.

It’s also meant to be a guide for myself in case I mess up badly and have to start all over :slight_smile: so in short this is going to be truncated, not going into too much detail over every single component…

Be warned that there are a lot of steps to this and may take a good chunk of your time especially if you decide to compile the kernel directly on the device as defaulty instructed below. Edit: Assume that these commands are run as root. You can login to root by typing sudo -s

With this out of the way…


Phase One

You will need a flashed micro SD card. I recommend BACKING UP your data before messing with any of this! It’s also recommended that you change your power settings to 'SERVER’


Phase Two

  • Secure your device. Connect to the internet. We will need it to install some dependencies later… It’s important to do the following if you haven’t already:

Optional: Add an SSH banner and change the MOTD.
echo 'Banner /etc/banner.net' >> /etc/ssh/sshd_config
echo 'shadowsword#0179\nGAMESHELL TERMINAL' > /etc/banner.net
nano /etc/motd

Change the default password from cpi to something else.
passwd

Change PermitRootLogin from yes to no
sudo nano /etc/ssh/sshd_config


Phase Three

  • Create folders to work with. This isn’t an exact science. You can name these however you like as long as you apply your naming convention to later commands. This step isn’t even all that important.

One just because we can use it as a $PATH
mkdir 'xx_shells'
echo 'PATH="/home/cpi/xx_shells:$PATH"' >>/home/cpi/.bashrc

One because we’ll need a place to put the compiling stuff
mkdir 'xcompile'

One to copy our certificates to because we’ll need SSL for inspircd and apache2
mkdir '/certs'

Optional alias because I like it
echo "alias ll='ls -l'">>.bashrc


Phase Four

  • Mount the boot point of your micro SD. It’s not important that this stays mounted so we’re not adding it to fstab.

mkdir /mnt/boot
mount /dev/mmcblk0p1 /mnt/boot


Phase Five

  • Update, upgrade, install dependencies and extras

sudo apt-get update; sudo apt-get upgrade

Install the following packages (some were included better-safe-than-sorry and personal preference)
sudo apt-get install bridge-utils dnsmasq hostapd apache2 certbot locate flex bison bc libssl-dev build-essential irssi

If you installed locate, we can use this later to find things easier. Index the system by typing:
sudo updatedb

(then use locate *(filename)* to search for your file using this index.)

Install Simple Terminal, this is a life saver.
wget https://github.com/pleft/st-sdl-gameshell/releases/download/v1.0-gs/SimpleTerminal.tar.gz
tar -xvzf SimpleTerminal.tar.gz
rm SimpleTerminal.tar.gz
cp 03_SimpleTerminal /home/cpi/apps/Menu/60_Utils/12_SimpleTerminal


Phase Six

  • Stop the services we installed. They don’t need to be running while we configure them.

sudo systemctl stop hostapd
sudo systemctl stop dnsmasq


Phase Seven

  • Dealing with our SSL certificates. We’ll need this for inspircd and apache2.

IMPORTANT! YOU WILL NEED TO HAVE PORT 80 FORWARDED ON YOUR ROUTER AND HAVE OBTAINED A DOMAIN FOR YOUR IP!

Please replace somedomain.tk with the domain given to you by letsencrypt.

sudo systemctl start apache2 # if not started already
certbot certonly
cd /etc/letsencrypt/live/somedomain.tk/
openssl dhparam -out dhparams.pem 2048
cp cert.pem /certs/
cp chain.pem /certs/
cp dhparams.pem /certs/
cp fullchain.pem /certs/
cp privkey.pem /certs/
cd /certs/
sudo chown cpi:cpi *
sudo chmod 440 *
sudo systemctl stop apache2

Phase Eight

  • inspircd installation and configuration. This is somewhat of a big section to try and squish a default in. Please be sure to read over and change as needed, you will likely want to do your own customization settings but this is the basis for how our system works and includes the proper references for our SSL .pem’s. I’m not going to comment much here. It’s best to spend the extra time to do it yourself.
# Install IRC Daemon
wget https://github.com/inspircd/inspircd/archive/v3.6.0.tar.gz
tar -xvf v3.6.0.tar.gz

# YOU WILL THEN NEED TO CD INTO THE FOLDER AND:
./configure
# remember that you can specify --enable-extras m_foo.cpp if needed in above line
make install

cd run/conf
echo "shadow's" > motd.txt
echo '_________    __  _________ '>> motd.txt
echo '/ ____/   |  /  |/  / ____/ '>> motd.txt
echo '/ / __/ /| | / /|_/ / __/    '>> motd.txt
echo '/ /_/ / ___ |/ /  / / /___    '>> motd.txt
echo '\____/_/ _|_/_/__/_/_____/ __ '>> motd.txt
echo '/ ___// / / / ____/ /   / / '>> motd.txt
echo '\__ \/ /_/ / __/ / /   / /  '>> motd.txt
echo '___/ / __  / /___/ /___/ /___'>> motd.txt
echo '/____/_/ /_/_____/_____/_____/'>> motd.txt

echo '<define name="bindip" value="*">' >inspircd.conf
echo '<define name="localips" value="&bindip;/24">' >>inspircd.conf
echo '<server name="shadownet.irc.shadowsword.tk" description="Dimension Engineering Operations Terminal" network="Omega">'>>inspircd.conf
echo '<admin name="shadowsword#0179" nick="cpi" email="shadowsword@protonmail.com">'>>inspircd.conf
echo '<bind address="*" port="6697" type="clients" ssl="openssl" defer="0" free="no">'>>inspircd.conf
echo '<sslprofile name="openssl" provider="openssl" cafile="/certs/fullchain.pem" certfile="/certs/fullchain.pem" ciphers="DEFAULT" compression="no" dhfile="/certs/dhparams.pem" ecdhcurve="prime256v1" hash="sha256" keyfile="/certs/privkey.pem" renegotiation="no" requestclientcert="yes" tlsv1="no" tlsv11="yes" tlsv12="yes">'>>inspircd.conf
echo '<bind address="*" port="6660-6669" type="clients">'>>inspircd.conf
echo '<connect deny="3ffe::0/32" reason="The 6bone address space is deprecated">'>>inspircd.conf
echo '<connect name="main" allow="*" maxchans="20" timeout="20" pingfreq="2m" hardsendq="1M" softsendq="10240" recvq="10K" threshold="10" commandrate="1000" fakelag="on" localmax="3" globalmax="3" resolvehostnames="yes" useident="no" limit="5000" modes="+x">'>>inspircd.conf
echo '<cidr ipv4clone="32" ipv6clone="128">'>>inspircd.conf
echo '<files motd="motd.txt">'>>inspircd.conf
echo '<dns timeout="5">'>>inspircd.conf
echo '<maxlist chan="*" limit="100">'>>inspircd.conf
echo '<options prefixquit="DISCONNECTION: " suffixquit="" prefixpart="&quot;" suffixpart="&quot;" syntaxhints="no" casemapping="ascii" cyclehostsfromuser="no" announcets="yes" allowmismatch="no" defaultbind="auto" hostintopic="yes" pingwarning="15" serverpingfreq="1m" splitwhois="no" defaultmodes="not" xlinemessage="Youre banned! Email shadowsword@protonmail.com with the ERROR line below for help." allowzerolimit="no" modesinlist="no" exemptchanops="censor:o filter:o nickflood:o nonick:v regmoderated:o" invitebypassmodes="yes" nosnoticestack="no">'>>inspircd.conf
echo '<performance netbuffersize="10240" somaxconn="128" softlimit="12800" clonesonconnect="yes" timeskipwarn="2s" quietbursts="yes">'>>inspircd.conf
echo '<security allowcoreunload="no" announceinvites="dynamic" hideulines="no" flatlinks="no" hidebans="no" hidekills="" hideulinekills="yes" hidesplits="no" maxtargets="20" customversion="" restrictbannedusers="yes" genericoper="no" userstats="Pu">'>>inspircd.conf
echo '<limits maxnick="30" maxchan="64" maxmodes="20" maxident="10" maxhost="64" maxquit="255" maxtopic="307" maxkick="255" maxreal="128" maxaway="200">'>>inspircd.conf
echo '<log method="file" type="* -USERINPUT -USEROUTPUT" level="default" target="ircd.log">'>>inspircd.conf
echo '<whowas groupsize="10" maxgroups="100000" maxkeep="5d">'>>inspircd.conf
echo '<badip ipmask="192.0.2.69" reason="No porn here thanks.">'>>inspircd.conf
echo '<badnick nick="ChanServ" reason="Reserved for a network service">'>>inspircd.conf
echo '<badhost host="*@banneduser.example.net" reason="Evading Bans">'>>inspircd.conf
echo '<badhost host="root@*" reason="Dont IRC as root!">'>>inspircd.conf
echo '<badhost host="*@198.51.100.0/24" reason="This subnet is bad.">'>>inspircd.conf
echo '<exception host="*@localhost" reason="Opers hostname">'>>inspircd.conf
echo '<insane hostmasks="no" ipmasks="no" nickmasks="no" trigger="95.5">'>>inspircd.conf
echo '<include file="opers.conf">'>>inspircd.conf

echo '<class name="Shutdown" commands="DIE RESTART REHASH LOADMODULE UNLOADMODULE RELOADMODULE GLOADMODULE GUNLOADMODULE GRELOADMODULE" privs="users/auspex channels/auspex servers/auspex users/mass-message users/flood/no-throttle users/flood/increased-buffers" usermodes="*" chanmodes="*" snomasks="*">'>>opers.conf
echo '<class name="SACommands" commands="SAJOIN SAPART SANICK SAQUIT SATOPIC SAKICK SAMODE OJOIN">'>>opers.conf
echo '<class name="ServerLink" commands="CONNECT SQUIT RCONNECT RSQUIT MKPASSWD ALLTIME SWHOIS LOCKSERV UNLOCKSERV" usermodes="*" chanmodes="*" privs="servers/auspex" snomasks="Cc">'>>opers.conf
echo '<class name="BanControl" commands="KILL GLINE KLINE ZLINE QLINE ELINE TLINE RLINE CHECK NICKLOCK NICKUNLOCK SHUN CLONES CBAN" usermodes="*" chanmodes="*" snomasks="Xx">'>>opers.conf
echo '<class name="OperChat" commands="WALLOPS GLOBOPS" usermodes="*" chanmodes="*" privs="users/mass-message" snomasks="Gg">'>>opers.conf
echo '<class name="HostCloak" commands="SETHOST SETIDENT SETIDLE CHGNAME CHGHOST CHGIDENT" usermodes="*" chanmodes="*" privs="users/auspex">'>>opers.conf
echo '<type name="NetAdmin" classes="SACommands OperChat BanControl HostCloak Shutdown ServerLink" vhost="netadmin.shadowsword.tk" maxchans="60" modes="+s +cCqQ">'>>opers.conf
echo '<type name="GlobalOp" classes="SACommands OperChat BanControl HostCloak ServerLink" vhost="serverop.omega.shadowsword.tk">'>>opers.conf
echo '<type name="Helper" classes="HostCloak" vhost="helper.omega.example.org">'>>opers.conf
echo '<oper name="Shadow" password="oper" host="*@localhost *@clockworkpi *@DEOT *@2001:db8::/32" type="NetAdmin">'>>opers.conf

Phase Nine

  • Let’s add some custom utilities to the launcher. We can then access this later if we need to do something fast. Edit or append as needed. I’ve commended out 01_APON because I decided I want the system to enable our virtual access point interface from rc.local;

IMPORTANT

EDIT: These instructions may lead to errors that might lead to a reflashing. PROCEED WITH CAUTION! I have yet to figure out the EXACT CAUSE of what makes this fail. Please see https://github.com/clockworkpi/launcher/issues/329 hence why I believe I’ve isolated the cause of the problem to these lines.

mkdir /home/cpi/apps/Menu/60_Utils/12_Xtra
echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/01_APON.sh

echo '#sudo iw phy phy0 interface add wlan1 type __ap' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/01_APON.sh
echo '#sudo systemctl start dnsmasq; sudo systemctl start hostapd' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/01_APON.sh

echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/02_APOFF.sh
echo 'sudo systemctl stop hostapd; sudo systemctl stop dnsmasq' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/02_APOFF.sh

echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/03_IRC_ON.sh
echo '/home/cpi/inspircd/run/inspircd restart'>>/home/cpi/apps/Menu/60_Utils/12_Xtra/03_IRC_ON.sh

echo '#!/bin/bash'>/home/cpi/apps/Menu/60_Utils/12_Xtra/04_IRC_OFF.sh
echo '/home/cpi/inspircd/run/inspircd stop'>>/home/cpi/apps/Menu/60_Utils/12_Xtra/03_IRC_OFF.sh

echo 'sudo iw wlan0 set power_save off' >>/home/cpi/apps/Menu/60_Utils/12_Xtra/04_WIFI_PS_DISABLE.sh

chmod 555 /home/cpi/apps/Menu/60_Utils/12_Xtra/*

Phase Ten

wget https://releases.linaro.org/components/toolchain/binaries/7.2-2017.11/arm-linux-gnueabihf/gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz
tar -xvf gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz
rm gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf.tar.xz
echo 'export PATH="/xcompile/gcc-linaro-7.2.1-2017.11-x86_64_arm-linux-gnueabihf/bin:$PATH"' >> /home/cpi/.bashrc

cd /home/cpi
git clone https://github.com/asypost/clockwork-pi3-kernel
cd clockwork-pi3-kernel
#cp ./arch/arm/configs/clockworkpi_cpi3_defconfig .config
make -j5 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- menuconfig
make -j5 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf-
mkimage -A arm -O linux -T kernel -C none -a 0x40008000 -e 0x40008000 -n "Linux kernel" -d arch/arm/boot/zImage uImage

Copy the kernel to the mount point:
sudo cp /mnt/boot/uImage /mnt/boot/uImage.bak
sudo cp uImage /mnt/boot/uImage


Phase Eleven

  • Reboot your device! Update, upgrade, and we’ll continue with configuring our access point.
    We don’t have a second internet interface on the device by default so we’re going to try to use. In the predefined configuration below, we’ll be using 10.10.0.XX as our network.
# set a static IP for wlan1
echo 'interface wlan1' >/etc/dhcpcd.conf
echo 'static ip_address=10.10.0.1/24' >>/etc/dhcpcd.conf
# deny wlan1 from being auto configured
echo 'denyinterfaces wlan1' >>/etc/dhcpcd.conf

# configure DHCP
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
echo 'interface=wlan1' >/etc/dnsmasq.conf
echo '  dhcp-range=10.10.0.10,10.10.0.128,255.255.255.0,24h' >>/etc/dnsmasq.conf
# and lets reroute traffic anything .cpi
echo 'address=/.cpi/127.0.0.1' >>/etc/dnsmasq.conf

# configure hostapd
echo 'interface=wlan1' >/etc/hostapd/hostapd.conf
echo 'bridge=br0'>>/etc/hostapd/hostapd.conf
echo 'hw_mode=g'>>/etc/hostapd/hostapd.conf
# change as needed
echo 'channel=7'>>/etc/hostapd/hostapd.conf
echo 'wmm_enabled=0'>>/etc/hostapd/hostapd.conf
echo 'macaddr_acl=0'>>/etc/hostapd/hostapd.conf
echo 'auth_algs=1'>>/etc/hostapd/hostapd.conf
echo 'ignore_broadcast_ssid=0'>>/etc/hostapd/hostapd.conf
echo 'wpa=2'>>/etc/hostapd/hostapd.conf
echo 'wpa_key_mgmt=WPA-PSK'>>/etc/hostapd/hostapd.conf
echo 'wpa_pairwise=TKIP'>>/etc/hostapd/hostapd.conf
echo 'rsn_pairwise=CCMP'>>/etc/hostapd/hostapd.conf
# the bits that matter
echo 'ssid=shadownet'>>/etc/hostapd/hostapd.conf
echo 'wpa_passphrase=cpi'>>/etc/hostapd/hostapd.conf

# tell core where conf is
echo 'DAEMON_CONF="/etc/hostapd/hostapd.conf"' >> /etc/default/hostapd

# enable IP forwarding
echo 'net.ipv4.io_forward=1' >>/etc/sysctl.conf

#enable postrouting
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
# try update-alternatives --config iptables if having issues

IMPORTANT! In Phase Nine, we have 04_WIFI_PS_DISABLE which simply disables power saving on our wifi. You have the option of disabling this from rc.local or through the script. I would default to using the script to be on the safe side. Doing this may increase performance and stop the Wifi from occasional interrupts.

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
echo 'iptables-restore < /etc/iptables.ipv4.nat' >>/etc/rc.local

# this bit here is not recommended 
echo 'sudo iw wlan0 set power_save off' >>/etc/rc.local

echo 'sudo iw phy phy0 interface add wlan1 type __ap' >>/etc/rc.local

# We wanna make sure inspircd starts with the other services
echo '/home/cpi/inspircd/run/inspircd start'>>/etc/rc.local

Phase Twelve

  • Adding the bridge interface. More fruits of our labour in kernel.
# add a bridge
sudo brctl addbr br0
# bridge wlan0
sudo brctl addif br0 wlan0

Check to see what’s already in /etc/network/interfaces before applying the below:

echo 'auto br0' >>/etc/network/interfaces
echo 'iface br0 inet manual' >>/etc/network/interfaces
echo 'bridge_ports wlan0 wlan1' >>/etc/network/interfaces

You might want to double check your hostname and resolv.conf;


Phase Thirteen

  • Reboot your device!!

Check your kern.log, dmesg; ensure that hostapd, dnsmasq, inspircd, and apache2 all started up correctly.

There’s multiple ways of doing things, all in all I think that from start to finish followed through it’s a neat little project and I have to say that I learned a lot about the in’s and out’s of the Clockworkpi Gameshell just tinkering and trying to do something nobody else seemingly has done with their device before yet. I know that I didn’t talk a lot about apache2, but the focus of this was the initial setting up of a template/basis to work with. I built my first kernel… feels like something I should have been doing since my Backtrack 4 days.


and here is a snapshot of the fruits of our labour:


Good luck!

3 Likes

Apparently I can only edit so many times;
Edits: Section Eight
This line is required in inspircd.conf

<module name="ssl_openssl">

and there is a typo /certs/dhparams should be /certs/dhparam

Update: After finishing the all of it, and getting around previous errors; I’m still having issues with the Wifi. Ah, well. This was a fun little project while it lasted. I’m just going to have to wait for more support.