diff options
| -rw-r--r-- | README.md | 571 |
1 files changed, 556 insertions, 15 deletions
@@ -1,16 +1,557 @@ -<b>Yamn Web Interface</b><br> -<p>This repository contains a web interface for <a href="https://github.com/crooks/yamn"><em>crooks/yamn</em></a>, a user-friendly web application designed to facilitate the sending of anonymous emails through a chain of remailers using the yamn network.<br> -The interface is built using HTML5, CSS3, and PHP.</p> - -<b>Instructions</b><br> -<p>Make this repository as your http daemon document's root <pre>/var/www/yamnweb</pre><br> -Create a subdirectory pool/ in /var/www/yamnweb.</p> -<b>Clone down crooks yamn client</b><br> -<pre>git clone https://github.com/crooks/yamn /opt/yamn-master </pre> -<p>Build and ensure the GO Yamn executable path is located at /opt/yamn-master/yamn.<br> -Update the configuration file /opt/yamn-master/yamn.yml with the appropriate settings for your environment.</p> - -<b>It's recommended</b><br> -<p>Configure your http daemon with TLSv1.3 and the following SSL cipher suite: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384.</p> -<p>Make sure your http daemon does not collect ip accesses via module or by commenting out the access logs entirely.<br> +# 🔐 Guida Completa Installazione YAMN Web Interface Sicura + +## 📋 Indice +1. [Prerequisiti](#prerequisiti) +2. [Installazione Tor](#installazione-tor) +3. [Installazione YAMN](#installazione-yamn) +4. [Configurazione File Sicuri](#configurazione-file-sicuri) +5. [Configurazione Nginx](#configurazione-nginx) +6. [Configurazione PHP](#configurazione-php) +7. [Configurazione Cronjob](#configurazione-cronjob) +8. [Test Funzionalità](#test-funzionalità) +9. [Troubleshooting](#troubleshooting) + +--- + +## 1. Prerequisiti + +```bash +# Sistema operativo supportato +- Debian 11/12 o Ubuntu 20.04/22.04/24.04 + +# Software richiesto +apt-get update +apt-get install -y \ + tor \ + torsocks \ + nginx \ + php8.2-fpm \ + php8.2-curl \ + php8.2-sqlite3 \ + php8.2-mbstring \ + sqlite3 \ + curl \ + git +``` + +--- + +## 2. Installazione Tor + +### A. Installare Tor +```bash +apt-get install -y tor torsocks +``` + +### B. Configurare Tor +```bash +# Backup configurazione originale +cp /etc/tor/torrc /etc/tor/torrc.backup + +# Creare nuova configurazione +cat > /etc/tor/torrc << 'EOF' +# SOCKS proxy con stream isolation +SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort +SocksPort 127.0.0.1:9150 IsolateDestAddr IsolateDestPort + +# Control port per gestione circuiti +ControlPort 127.0.0.1:9051 +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 + +# Ottimizzazione circuiti +CircuitBuildTimeout 60 +LearnCircuitBuildTimeout 0 +MaxCircuitDirtiness 600 +NewCircuitPeriod 30 + +# Stream isolation avanzata +IsolateClientAddr 1 +IsolateSOCKSAuth 1 +IsolateClientProtocol 1 + +# Security +SafeLogging 1 +WarnUnsafeSocks 1 + +# Performance +NumEntryGuards 8 +NumDirectoryGuards 3 + +# Opzionale: Escludere nodi exit in certi paesi +# ExcludeExitNodes {us},{gb},{au},{ca},{nz} +# StrictNodes 0 +EOF +``` + +### C. Avviare Tor +```bash +systemctl enable tor +systemctl restart tor +systemctl status tor + +# Verificare che sia in ascolto +netstat -tlnp | grep tor +# Dovresti vedere: +# 127.0.0.1:9050 (SOCKS) +# 127.0.0.1:9051 (Control) +``` + +### D. Testare Tor +```bash +# Test 1: Connessione SOCKS +curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/api/ip + +# Dovrebbe mostrare: "IsTor":true + +# Test 2: Con torsocks +torsocks curl https://check.torproject.org/api/ip +``` + +--- + +## 3. Installazione YAMN + +### A. Scaricare e compilare YAMN +```bash +# Creare directory +mkdir -p /opt/yamn-build +cd /opt/yamn-build + +# Scaricare sorgenti +wget https://github.com/crooks/yamn/archive/refs/heads/master.zip +unzip master.zip +cd yamn-master + +# Installare Go se necessario +apt-get install -y golang-go + +# Compilare +go build + +# Copiare binario +mkdir -p /opt/yamn-master +cp yamn /opt/yamn-master/ +chmod +x /opt/yamn-master/yamn + +# Verificare +/opt/yamn-master/yamn --version +``` + +### B. Configurare YAMN +```bash +# Creare configurazione +cat > /opt/yamn-master/yamn.yml << 'EOF' +# YAMN Configuration + +remailer: + name: "your-remailer" # Cambia con il tuo nome + address: "yamn@yourdomain.com" # Cambia con la tua email + +files: + pubring: "pubring.mix" + secring: "secring.mix" + pooldir: "pool" + maildir: "Maildir" + chunkdb: "chunkdb" + +urls: + pubring: "https://echolot.virebent.art/pubring.mix" + stats: "https://echolot.virebent.art/mlist2.txt" + +mail: + outfile: no + sendmail: yes + smtprelay: "localhost:25" + # Se usi autenticazione SMTP: + # smtpusername: "your-user" + # smtppassword: "your-pass" + +stats: + numcopies: 2 + +# Client mode settings +chain: + length: 3 + select: "*,*,*" +EOF + +# Creare directory necessarie +mkdir -p /opt/yamn-master/{pool,Maildir/{cur,new,tmp},chunkdb} +chmod 700 /opt/yamn-master/{pool,Maildir,chunkdb} +``` + +--- + +## 4. Configurazione File Sicuri + +### A. Creare directory sicure +```bash +# Directory per dati sensibili (fuori da web root!) +mkdir -p /opt/yamn-data/{pool,cache,backups} +chmod 700 /opt/yamn-data +chown www-data:www-data /opt/yamn-data -R + +# Directory web +mkdir -p /var/www/yamnweb +cd /var/www/yamnweb +``` + +### B. Copiare file sicuri +```bash +# Copiare i file PHP sicuri che hai ricevuto: +# - downloadRemailers_secure.php +# - tor_extension_secure.php +# - send_secure.php +# - index.php (interfaccia) +# - styles.css + +# Impostare permessi +chown www-data:www-data /var/www/yamnweb -R +chmod 755 /var/www/yamnweb +chmod 644 /var/www/yamnweb/*.php +chmod 644 /var/www/yamnweb/*.css + +# RIMUOVERE file log vecchi se presenti +rm -f /var/www/yamnweb/*.log +rm -f /var/www/yamnweb/*.txt +``` + +### C. Permettere a www-data di usare Tor +```bash +usermod -a -G debian-tor www-data +``` + +--- + +## 5. Configurazione Nginx + +### A. Creare configurazione sito +```bash +cat > /etc/nginx/sites-available/yamnweb << 'EOF' +server { + listen 80; + server_name your-domain.com; # Cambia con il tuo dominio + + # Redirect to HTTPS + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + server_name your-domain.com; # Cambia con il tuo dominio + + # TLS 1.3 only + ssl_protocols TLSv1.3; + ssl_ciphers 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384'; + ssl_prefer_server_ciphers on; + + # SSL certificates (usa Let's Encrypt o certificati esistenti) + ssl_certificate /etc/ssl/certs/your-cert.pem; + ssl_certificate_key /etc/ssl/private/your-key.pem; + + # HSTS + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # NO LOGS - CRITICO! + access_log off; + error_log /dev/null; + + # Security headers + add_header X-Frame-Options "DENY" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline';" always; + add_header Referrer-Policy "no-referrer" always; + add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; + + # Rate limiting + limit_req_zone $binary_remote_addr zone=yamnlimit:10m rate=10r/m; + limit_req zone=yamnlimit burst=5 nodelay; + + root /var/www/yamnweb; + index index.php index.html; + + # PHP processing + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + + # Hide PHP version + fastcgi_hide_header X-Powered-By; + } + + # Block access to sensitive files + location ~ /\.(ht|git|env|log|txt|bak|tmp)$ { + deny all; + } + + # Block access to secure directories + location ~ ^/(pool|cache|backups|opt)/ { + deny all; + } + + # Disable autoindex + autoindex off; +} +EOF + +# Abilitare sito +ln -s /etc/nginx/sites-available/yamnweb /etc/nginx/sites-enabled/ +rm -f /etc/nginx/sites-enabled/default + +# Test configurazione +nginx -t + +# Riavviare Nginx +systemctl restart nginx +``` + +--- + +## 6. Configurazione PHP + +### A. Configurare PHP-FPM +```bash +# Modificare /etc/php/8.2/fpm/php.ini + +cat >> /etc/php/8.2/fpm/php.ini << 'EOF' + +; Security settings +display_errors = Off +display_startup_errors = Off +log_errors = Off +error_log = /dev/null + +; Session security +session.use_cookies = 0 +session.use_trans_sid = 0 +session.cookie_httponly = 1 +session.cookie_secure = 1 +session.cookie_samesite = Strict + +; File uploads +file_uploads = Off +upload_max_filesize = 0M + +; Execution limits +max_execution_time = 300 +memory_limit = 256M + +; Extensions +extension=curl +extension=sqlite3 +extension=mbstring +EOF + +# Riavviare PHP-FPM +systemctl restart php8.2-fpm +``` + +--- + +## 7. Configurazione Cronjob + +### A. Installare script cron +```bash +# Copiare script cron +cp cron_update_remailers.sh /var/www/yamnweb/ +chmod +x /var/www/yamnweb/cron_update_remailers.sh +chown www-data:www-data /var/www/yamnweb/cron_update_remailers.sh + +# Aggiungere a crontab di www-data +crontab -u www-data -e + +# Aggiungere questa riga: +*/6 * * * * /var/www/yamnweb/cron_update_remailers.sh +``` + +### B. Creare log file +```bash +touch /var/log/yamn_cron.log +touch /var/log/yamn_download.log +chown www-data:www-data /var/log/yamn_*.log +chmod 600 /var/log/yamn_*.log +``` + +--- + +## 8. Test Funzionalità + +### A. Test manuale download +```bash +# Eseguire come www-data +sudo -u www-data php /var/www/yamnweb/test_remailer_download.php +``` + +Output atteso: +``` +=== YAMN Secure Downloader Test === + +1. Checking current status... + Tor status: Available + +2. Testing download (this may take 1-3 minutes due to random delays)... + ✅ Download successful! + +3. Verifying downloaded files... + ✅ Stats file OK (XXXX bytes) + ✅ Keyring file OK (XXXX bytes) + Detected approximately XX key entries + +=== Test Complete === +✅ All checks passed! YAMN is ready to use. +``` + +### B. Test invio email +```bash +# Creare messaggio di test +cat > /tmp/test_message.txt << 'EOF' +From: anonymous@anonymous.invalid +To: your-test-email@example.com +Subject: YAMN Test Message + +This is a test message sent through YAMN. +EOF + +# Inviare con yamn +cd /opt/yamn-master +torsocks ./yamn --mail --chain="*,*,*" --copies=1 < /tmp/test_message.txt + +# Controllare pool +ls -la /opt/yamn-master/pool/ +``` + +### C. Test interfaccia web +```bash +# Aprire browser e navigare a: +https://your-domain.com + +# Compilare form e inviare email di test +# Verificare che: +# 1. Form viene validato correttamente +# 2. Email viene aggiunta al pool +# 3. Nessun errore nei log +``` + +--- + +## 9. Troubleshooting + +### Problema: "Tor is not available" +```bash +# Verificare stato Tor +systemctl status tor + +# Verificare porte in ascolto +netstat -tlnp | grep tor + +# Test connessione +curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/api/ip + +# Se non funziona, riavviare Tor +systemctl restart tor +``` + +### Problema: "Permission denied" su file +```bash +# Verificare proprietà +ls -la /opt/yamn-data/ +ls -la /opt/yamn-master/ + +# Correggere permessi +chown www-data:www-data /opt/yamn-data -R +chmod 700 /opt/yamn-data +chmod 700 /opt/yamn-master/pool +``` + +### Problema: "Failed to download from all sources" +```bash +# Test manuale connessione +torsocks curl https://echolot.virebent.art/mlist2.txt + +# Verificare proxy Tor +ps aux | grep tor + +# Verificare configurazione PHP cURL +php -i | grep -i curl +``` + +### Problema: YAMN non invia messaggi +```bash +# Verificare configurazione YAMN +cat /opt/yamn-master/yamn.yml + +# Test manuale +cd /opt/yamn-master +echo "Test" | ./yamn --mail --to test@example.com --stdout + +# Verificare pool +ls -la /opt/yamn-master/pool/ + +# Verificare pubring +ls -la /opt/yamn-master/pubring.mix +``` + +### Log utili +```bash +# Log nginx (se abilitati temporaneamente) +tail -f /var/log/nginx/error.log + +# Log PHP +tail -f /var/log/php8.2-fpm.log + +# Log Tor +journalctl -u tor -f + +# Log cron +tail -f /var/log/yamn_cron.log +``` + +--- + +## 🎯 Checklist Finale + +- [ ] Tor installato e funzionante +- [ ] YAMN compilato e configurato +- [ ] Directory sicure create (/opt/yamn-data/) +- [ ] Nginx configurato senza logging +- [ ] PHP configurato correttamente +- [ ] File PHP sicuri installati +- [ ] Cronjob configurato +- [ ] Test download completato con successo +- [ ] Test invio email funzionante +- [ ] Interfaccia web accessibile +- [ ] Nessun file .log in /var/www/yamnweb/ +- [ ] Permessi corretti su tutti i file + +--- + +## 📚 Riferimenti + +- YAMN Documentation: https://mixmin.net/yamn.html +- Tor Project: https://www.torproject.org/ +- Victor Yamn Pinger: https://echolot.virebent.art/ +- YAMN GitHub: https://github.com/crooks/yamn + +--- + +## 🔒 Note di Sicurezza + +**IMPORTANTE:** +1. Disabilitare SEMPRE i log di Nginx +2. Non salvare MAI metadata sensibili +3. Tor SEMPRE obbligatorio per tutti i download e invii +4. Verificare periodicamente che non ci siano file .log in /var/www/ +5. Mantenere aggiornati Tor e YAMN +6. Usare HTTPS con TLS 1.3 +7. Rate limiting sempre attivo + +**Privacy:** +- Nessun log IP +- Nessun timestamp persistente +- Replay protection attivo +- Adaptive padding attivo +- Randomized delays attivi |
