####Why do we need this technology?

The Internet is full of free services and you are the product they sell your data, in their terms and conditions page, that almost nobody reads, and Librerouter operates exactly the opposite:

Librerouter is a GNU technology that makes protecting your privacy easy by:

 • - Filtering viruses, exploits, malware, ads , bad IP-sources and bad content.
 • - Decentralizing the services (doing impossible to apply big data to you )
 • - Open authentication (dissolve legal relation between user and name-ip), Dark-nets (anonymisation of IP)
 • - Forcing encryption for all communications and data storage and in rest.
 • - Filtering the data that expose you, like scripts,cookies, browser info,etc.

• -a) If you buy a Librerouter • -b) If your IT then install the scripts in a Virtual machine that becames bridge virtual server

Thanks to a unique combination of open hardware (Yes really open paste report from Davidmexico) and open source software(yes bree of binary blobs so no just opensource but paranoid openess according Libre Kernel GNU standars.)

If you want more information about the software that we picked check here.

• Sniffers: those that are checking your traffic
• Government spy/monitoring institutions passive actions: like passive bots collecting general data from worldwide, if they target anyone... that is another story.
• Librerouter evil nodes: a box Owned for those bad people.
• Malicious internet nodes: better known as blackbones.
• Your internet provider (ISP): if they would trying anything with your data.

• Filtering virus, webexploits, malware,ads ,bad IP-sources and bad content,the data that expose you, like scripts,cookies, browser info,etc.
• Decentralizing the services (doing impossible to apply big data to you )
• Open authentication (dissolve legal relation between user and name-ip), Dark-nets (anonymisation of IP)

Picture new

• Forcing encryption for all communications and data storage and in rest.

new picture

Services Decentralized Backup - I2P+Tahoe-LAFS Social Network - Friendica Search Engine - YaCy Collaborative Document Editing - OwnCloud Secure Email - Mailpile Xat&Voice Conferencing Decentralized Authentication Hive2Hive https://www.cageos.org/index.php?page=apps https://github.com/CommunityCube/debian-autoscript/issues

-Imagine all the important information you have stored on the hard drive of your computer.You are just one hardware failure away from disaster.After all, when did you do your last backup? Unfortunately, centralized storage solutions such as Dropbox and Google Drive also present a variety of risks: • Data kidnapping: A real example was Mega. (FBI closed it in 2009). • Disaster: Your external hard disks fail or stolen. (no disaster recovery)
• Privacy: You're at risk of having your data hacked and stolen if it’s not encrypted. The decentralized (i2p) version of Tahoe LAFS-Grid (with protections against Sybil attacks and upload Dodos) is a new way to make your data indestructible. A grid splits your files up into little pieces, encrypts them and spreads them out geographically, making it immune to any disaster or service outage. In our decentralized system your valuable information is encrypted three times:

1. Before it even leaves your computer, in the web browser
2. In the collaboration tool before the data goes to the hard disk
3. When backing up to the grid, the slices will also be encrypted. The decentralized (i2p) version of Tahoe LAFS-Grid (with protections against Sybil attacks and upload Dodos) is a new way to make your data indestructible. A grid splits your files up into little pieces, encrypts them and spreads them out geographically, making it immune to any disaster or service outage. You can also sync your home Community Cube with all of your portable devices to have the same files and receive the same alerts in real time.If someone steals your cube or for some reason it is destroyed, you can simply buy a replacement COMMUNITY CUBE server and recover your lost data automatically from the Grid.In minutes you’re up and running again!

COMMUNITY CUBE can act as a unified entry and outgoing point for all of your posts across social networks, as well as a filter for what is important to you.For example, do you hate cat videos? (Really? Can I get you some help?) You can use Community Cube to filter them out when it automatically imports posts from Facebook, Twitter, and Pinterest! You control your incoming and outgoing posts, and push your posts from a single place to everywhere with no need to open each social network in a separate tab.We aren’t asking you to give up on social media.Instead we offer you a way to be in the captain’s chair.

With federated XMPP servers for authentication but perfect for discovering users outside the Community Cube network with security from the normal web. b) Unauthenticated and decentralized web browser video conferencing through anonymous links to create fast video conference rooms without third parties or middlemen involved.

• https://www.gitbook.com/book/bananapi/bpi-r1/details
• https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXIno-LIME2/open-source-hardware
• https://www.element14.com/community/community/designcenter/sama5d3xplained/blog/2014/04/25/debian-on-the-sama5d3-xplained
• https://eewiki.net/display/linuxonarm/ATSAMA5D3+Xplained

This is on discussion yet, but the idea is to offer a solution that can be deployable on a public distribution with your own hardware, but as standalone we have this models:

• Librerouter has two presentations: Comes with four network interfaces which are configured as follows: 2 Wireless and 2 Gigabyte Ethernet.

There are 2 ways to join to CommunityLibrerouter network

The following list includes some of the features that have been added and modified in the Linux kernel (core):

• Anti-exploitation modules high tuned for OS attacking resistance.
• Anti-forensic capabilities in the case of seizure by law enforcement. • Cryptographically enhanced modules for file memory and access modes. Boot and Full disk encryption and Cold Boot Attack patched. • Isolation: Each service runs in an isolated environment, to prevent security bugs that may affect the rest of the system and services. • Optimization: Proper service configuration helps to avoid possible vector attacks of unused libraries. • Backward/downward compatible: New security standards can receive, read, view or play older standards or formats.

Step 1: Checking requirements Your Physical/Virtual machine need to meet the minimum requirements:

• 1. x2 network interfaceS
• 2. 1 GB of RAM
• 3. 16 GB of SD or micro SD or virtual booting HD
• 4. SATA HARDDISK or separate second phzsical or virutual DISK

The way networking works in Librerouter will be:

2 Bridges two interfaces each

• 1x bridge acts as a WAN
• 2st bridge acts as LAN

So, we actually have 4 possible PHySICAL scenarios

• WAN is WiFi, LAN is WiFi
• WAN is WiFi, LAN is Cabled Ethernet
• WAN is Cabled Ethernet, LAN is WiFi
• WAN is Cabled Ethernet, LAN is Cabled Ethernet

Step 2: Setup the network. In this step you need to connect one interface of your machine to Internet, and other one to local network device. Networking of Librerouter has two way to work. Server mode The way networking works in Librerouter will be: -1 uniqe fix IP LAN or Bridge> can be WLAN or Cabled Ethernett connected to the existing internet router LAN. Server mode with single LAN interface and not redirecting domains or threating the traffic (not hable to defend against web browsing leaks and malware) -b) Bridge mode where the trafic is filtered by dns, and by proxy squid with clamav and ssl bumping, and surikata. Also redirecting dns via TOR and dnssec)

Step 3. Executing scripts. In this step you need to download and execute the following scripts on your machine with given order.

1. app-installation-script.sh
2. app-configuration-script.sh

Step 1. Checking user The script should be run by user root, if it was run by another user then it will warn and exit. Step 2. Checking Platform The all software intended to run on Debian 7/8 or Ubuntu 12.04/14.04, so if script finds another platform it will output an error and exit. Step 3. Checking Hardware As software can be installed either on odroid or Physical/Virtual machine, in this step we need to determine hardware. If script runs on odroid it should find Processor = ARM Hardware = XU3 or XU4 or C1+ or C2 If script runs on Physical/Virtual machine it should fine Processor = Intel After determining hardware type we can determine the next step. If hardware is Physical/Virtual machine Step 4. Checking requirements There are a list of minimum requirements that Physical/Virtual machine needs to meet. 2 network interfaces (ethernet or wlan) 1 GB of Physical memory 16 GB of Free disk space If machine meets the requirements then script goes to next step, otherwise it will warn and exit. Step 5. Getting DHCP client on interfaces In this step script first DHCP request from eth1 to get an ip address. If succeed, it will check for Internet connection and if Internet connection is established this step is done successfully. In any case of failure (no DHCP response or on Internet connection) script will try the same scenario for next interface. Order to try is - eth1, wlan1, eth0, wlan0 (list of available interfaces are available from step 4). Of no success in any interface, then script will warn user to plug the machine to Internet and will exit. Step 6. Preparing repositories and updating sources In this step script adds repository links for necessary packages into package manager sources and updates them. Script will output an error ant exit if it is not possible to add repositories or update sources. Step 7. Downloading and Installing packages As we already have repository sources updated in step 6, so at this point script will download and install packages using package manager tools. If something goes wrong during download or installation, script will output an error ant exit. If step 7 finished successfully then test.sh execution for Physical/Virtual machine is finished successfully and it's time to run the next script “app-installation-script.sh”. If hardware is odroid board Step 4. Check if the board assembled. There are list of modules that need to be connected to odroid board, so script will check if that modules are connected. You can fine information about necessary modules here If any module is missed user will get warning and script will exit. Step 5. Configuring bridge interfaces. In this step script will configure 2 bridge interfaces br0 and br1. eth0 and wlan0 will be bridged into interface br0 eth1 and wlan1 will be bridged into interface br1 In ethernet network, br0 should be connected to Internet and br0 to local network. In wireless network, bridge interdace with wore powerful wlan will be connected to Internet and other one to local network. After configuring bridge interfaces script will enable dhcp chient on external network interface and set static ip address 10.0.0.1/8 in internal network interface, and then check the Internet connection. If everything goes fine it will process to next step, otherwise will warn the user to plug the machine to Internet and exit. Step 6. Preparing repositories and updating sources The same as in Physical/Virtual machine case. Step 7. Downloading and Installing packages The same as in Physical/Virtual machine case. If step 7 finished successfully then test.sh execution for odroid board is finished successfully and it's time to run the next script “app-installation-script.sh”.

DNS Resolution

CommunityCube needs a powerfull DNS resolver to provide a transparent browsing for the user.

DNS petitions are processed in this way:

• Regular webpages (ex: www.meneame.net) are resolved by DjDNS. If decentralized DNS cannot resolve it, it's routed to TOR DNS

• Onion domains are resolved to a IP inside range 10.192.0.0/16

• I2P domains are always resolved to 10.191.0.1

• Local defined domains, forwards to 10.0.0.1

• Service replacement (ex: google.com it's replaced by our internal service YaCy) will resolve local ip 10.0.0.25x

Petition Flow

If it's a local service (10.0.0.25x) petition it's forwarded to local Nginx server

Otherwise, the rest of petitions will be processed following next steps

Connection Flow 1: IP Blocking

All petitions should be filtered by some rules.

First rule it's a list of known advertising Ips without asking.

We integrated known IP lists from Shallalist, mesdk12 and urlblacklist to avoid connection to IP that can be used to track you

This IPs are used usually to show you ADS and profile you

So, access to this IP are completely restricted to warrant privacy and avoid any profiling

Connection Flow 2: Content Manager

To enforce security by default will be blocked all petitions to not known sites. Also will be blocked a list of Corporations, governamental websites or any kind of non classified websites.

On the content manager, if it's detected a HTTP/HTTPS request, will show a page in browser saying the reason why this IP/website it's blocked.

Here's a list of possible reasons:

• Malicious

• Suspicious

• Corporation

• Governamental

• Data leakers

• And the rest it's classified as Unknown.

Selection would be remembered to not annoy the user.

Connection Flow 3: Squid Open SSL Tunnel

When user it's using a HTTPS connection to a darknet domain, this traffic it's considered as insecure.

On darknet domains, squid will open the SSL tunnel and inspect for possible exploits, virus and attacks to the user.

If this connection it's to a HTTPS regular domain, this SSL tunnel will be not open nor inspected. Will be routed directly to the internet (ex: https://yourbank.com)

Connection Flow 4: Squid Content Filtering Virus & Anonymous HTTP Headers

Content filtering will be done if it's a HTTPS open SSL tunnel, or a regular HTTP petition.

Squid will do mainly two process of it.

• With I-cmp/clamav plugin, filter all possible viruses.

• Remove from HTTP headers all possible identification to you. Connection Flow 5: IPS & Exploits: Suricata

If traffic it's a HTTPS open SSL tunnel (only in darknet domains), or a regular HTTP petition, then Suricata will inspect traffic, too.

Suricata will be configured with rules to avoid, mainly, browser exploits (usually in darknets, to take control of browser).

Loading VRT ruleset from snort and other IPS.

Connection Flow 6: Connection to Outside

If connection pass all blocks and Connection Flow filters, then this petition can reach the internet. Otherwise will be blocked. And will reach in this way

• I2P domains/eepSite (ex: i2p2.i2p) will be redirected to I2P

• SSL Regular domains (ex: https://yourbank.com) will reach te internet directly (remember no regular connections if you don't allow)

• Hidden services (ex: asdf1234.onion) will go through TOR

• HTTP (ex: http://news.com) will go through TOR to the internet site Access from outside model (Bypass Router / Closed Ports

To give access to file through an out-communitycube network, we will use TOR

Use regular Tor Browser to bypass internal network firewall.

So, each service running in communitycube will have a Hidden Service domain, and optionally a EEP Site (I2P hidden service).

In a second integration step we can create our Agent:

Our Agent it's a modified TorBrowser version with:

• I2P

• Foxyproxy configured ready to browse CommunityCube network, and Darknets.

• Block load regular internet content, over a TOR/I2P domain. (prevents easy image tracking)

Security plugins such as

• Stop fingerprinting

• Privacy Badger

• Track me not

• Fireclam

• Mailvelope

There's a first version of Agent for linux 32bit. It's needed to have Java installed

https://cloud.comunitycube.com:8083/public.php?service=files&t=6eacefffe8443befe42af8114988c474

There's a first version of Agent for windows 32bit. It doens't have I2P network conneciton

https://cloud.comunitycube.com:8083/public.php?service=files&t=8d6e823f6d24dd12605084084299e0fb

For a stable Agent stage, we should fork FoxyProxy to improve security by removing the external api exposing to each websites; or use another plugin.

This agent will exists for any platform: windows 32&64, Mac OSX universal, linux 32&64, android, windows phone, firefox OS and iOS. ARP Firewall

CageOS will integrate a ARP firewall to add another security layer in the incoming and outgoing connections, working with another layer of the OSI model.

It is analogous to iptables, but operates at the MAC (ARP) layer, rather than the IP layer.

Step 1. Get an A20-OLinuXIno-LIME2 and assemble it.

There are several seperate modules that need to be connected to A20-OLinuXIno-LIME2.

Step 2. Executing scripts.

In this step you need to download and execute the following scripts on your machine with given order.

1. app-installation-script.sh
2. app-configuration-script.sh

1. app-installation-script.sh (Initialization script)

Script workflow

1. Check User

• You need to run script as root user

2. Check Platform

• Platform should be Debian 7/8, Ubuntu 12.04/14.04, Trisquel 7.0

3. Check Hardware

• If you are running this script on odroid it should detect Intel processor

4. Check Requirements (Only for Physical/Virtual machine)

• Machine should match the requirements mentioned above

5. Check Internet

• Check Internet connection

6. Check If Assembled (Only gor LibreRouter)

• All neccessary modules should be connected to odroid board

7. Configure Bridge Interfaces (Only for LibreRouter)

• eth0 and wlan0 will be bridged into interface br0
• eth1 and wlan1 will be bridged into interface br1
• In ethernet network, br0 should be connected to Internet and br0 to local network
• In wireless network, bridge interdace with wore powerful wlan will be connected to Internet and other one to local network

8. Prepare perositories

• Update repositories for necessary packages

9. Download packages

• Download necessary packages

10. Install packages

• Install necessary packages

You can find Initialization workflow here

2. app-configuration-script.sh (Parametrization script)

It aims to configure all the packages and services.

1. Check User

• You need to run script as root user

2. Get variables

• Get variables values defined by app-installation-script.sh

3. Configure network interfaces

• External interface will be configured to get ip dinamically
• Internal interface will be configured with static ip address 10.0.0.1/24 There are also 4 virtual interfaces
• :1 10.0.0.251/24 for Yacy services
• :2 10.0.0.252/24 for Friendica services
• :3 10.0.0.253/24 for Owncloud services
• :4 10.0.0.254/24 for Mailpile services

4. Configure DNS resolution

• Unbound DNS will be configured to listed 10.0.0.1:53
• Tor DNS will be configured to listed 10.0.0.1:9053
• DjDNS will be configured to listed 10.0.0.1:8053

• Search engines - will be resolved to ip address 10.0.0.251 (Yacy) by unbound.
• Social networks - will be resolved to ip address 10.0.0.252 (friendics) by unbound.
• Storages - Will be resolved to ip address 10.0.0.253 (Owncloud) by unbound.
• Webmails - Will be resolved to ip address 10.0.0.254 (MailPile) by unbound.

• .local - will be resolved to local ip address (10.0.0.0/24 network) by unbound.
• .i2p - will be resolved to ip address 10.191.0.1 by unbound.
• .onion - unbound will forward this zone to Tor DNS running on 10.0.0.1:9053

• Any other domain name will be resolved by DjDNS with DNSSEC validation.

Please see left part of workflow image.

5. Configure Reverse proxy

You can check out the full license here

This project is licensed under the terms of the GNU GPL V2 license.

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// This wizard should ask the customer about and is pending in the project to be developed: -a) Do you want your protect your privacy or just user Librerouter services? if yes then mode bridge if not then mode equals server. -b) Mode Transparent firewall Bridge:

• Lets configure the Internet access (WAN)
  

• Do you want to conect your Librerouter to your Internet router via cable or WLAN?
  

•     if WLAN
  

Please specify your internet router SSID Please specify your encryption methods WPA or WPA2 WEP not allowed no encryption not allowed Please specifiy your SSID password The daemon should check the conection getting up If not especify error conditions

if Cable:

*If Cable and DHCP: Please specify if you would use fix IP or DHCP client? If DHCP Then setup dhcp client in the interface and try to receive IP The daemon should check the conection getting up If not especify error conditions

If Cable and FIX IP address: *Please provide the IP address Please provide the default GW Please provide the DNS server Trying ping against the IPs If correct finish The daemon should check the conections answers If not especify error conditions

Lets configure the Internal access (LAN Intranet) -Do you want to setup your internal protected network via cable or WLAN?

If WLAN then: -Please specify your internal new WLAN name SSID Please specifiy your SSID WPA2 CCMP password The daemon should check the connection getting up If not especify error conditions The IP addresses are 10.0.0.1 forced (if the guy another then hack the box)

if Cable then: -Please be aware we use this internal range: 10.0.0.100 to 200 Gateway 10.0.0.1 and DNS -Please plug a cable Detecting link Link up Now your connected

c) Mode Server only WAN external bridge will be used and then all WLAN and ETH will be all 4 interfaces in the same Bridge NIC logical interface.Do you want to use a cable or want CCube connect to your router or switch?

if WLAN

Please specify your internet router SSID Please specify your encryption methods WPA or WPA2 WEP not allowed no encryption not allowed Please specifiy your SSID password The daemon should check the conection getting up If not especify error conditions

if Cable: If Cable and DHCP: Please specify if you would use fix IP or DHCP client? If DHCP Then setup dhcp client in the interface and try to receive IP The daemon should check the connection getting up If not specify error conditions

If Cable and FIX IP address: Please provide the IP address Please provide the default GW Please provide the DNS server Trying ping against the IPs If correct finish The daemon should check the connections answers If not specify error conditions /////////////////////////////////////////////////////////////////////////////////////////////////// mode 2

Do you want to use a cable or want librerouter connect to your router or switch?

if WLAN

Please specify your internet router SSID Please specify your encryption methods WPA or WPA2 WEP not allowed no encryption not allowed Please specifiy your SSID password The daemon should check the conection getting up If not especify error conditions

if Cable:

If Cable and DHCP:

Please specify if you would use fix IP or DHCP client? If DHCP Then setup dhcp client in the interface and try to receive IP The daemon should check the connection getting up If not specify error conditions

If Cable and FIX IP address:

Please provide the IP address Please provide the default GW Please provide the DNS server Trying ping against the IPs If correct finish The daemon should check the connections answers If not specify error conditions

Kernel & Forensics Threat CageOS Protection Several Exploit GrSecurity Memory-based protection schemes PaX Mandatory access control scheme SELinux Cold Boot Attack TRESOR Potentially hostile/injected code from non-code containing memory pages KERNEXEC System Threat CageOS Protection Toolchain compilation (fortify) libc patches MAC Spoof MAC Address randomizer Hardware Serial number identification HDD/RAM serial number changer Vulnerable on bootloader Bootloader password protection Vulnerable on boot partition modifications /boot partition Read only. Needed to change only on kernel upgrades SSH root login directly Disable SSH root login Physical reboot Disable control+alt+del on inittab & /​etc/​acpi/​powerbtn-acpi-support.sh Brute force attack on services Fail2Ban ICMP Flood Protection IPTables not answer ICMP requests Network accept all port connection IPTables DROP policy by default Virus infection on other network OS Clamav Intrusion Detection System Suricata Hidden software exploits RKHunter Software security holes Debian Security repositories Untrusted Cronjobs Block cronjobs for everybody in cron.deny Binaries with root permission Disable unwanted SUID/SGID binaries Insecure network programs Block rlogink,telnet,tftp,ftp,rsh,rexec IP spoof sysctl hardening configuration IP spoof Darknet preconfigure TOR extra security SocksPort 9050 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr DNS leak protection Usage of OpenNIC Hidden code on apps Verifiable builds Take advantage of already logged in sessions Bash usage of VLOCK and/or TMOUT to protect your bash login Direct access to HDD data Full disk LUKS encryption Exploits of shared resources & hardware Docker SSH Old protocol weak SSH only protocol V2 allowed Computer stealing Secured&encrypted backup on decentralized storage grid Rootkit Use OpenSource & RKHunter Software backdoor Use OpenSource Hardware backdoor Use OpenHardware Packet Sniffing Using HTTPS Everywhere Security Responsible for building Tor circuits Tor client running on CommunityCube Exploit Quantum protection Yes, suricata Intrusion Prevention System Yes Browser exploit protection Yes Protection against IP/location discovery Yes & agent Workstation does not have to trust Gateway No IP/DNS protocol leak protection Only if you configure manually Updates Operating System Updates Persist once updated Update Notifications Yes on LED and TFT display Important news notifications Yes on LED and TFT display Decentralized System Updates Using APT P2P Fingerprint Network/web Fingerprint Maximum possible protection with Agent (pc (windows/linux/mac) & mobile (android/ios) Clearnet traffic Routing model it's described in Network page Surf the deepweb with regular browser Yes but not recommended Randomized update notifications Yes Privacy Enhanced Browser Yes, Tor Browser with patches Hides your time zone (set to UTC) Yes Secure gpg.conf Yes Enable secure SSH access Yes, through physical TFT with external network disconnect Auto Disable logins Only logins are possible on configuration mode, activated through physical TFT with external network disconnect Internet of the Things protection Yes, it's described in Network page Misc HTTP Header Anonymous Yes Big clock skew attack against NTP Tot blocked VPN Support Configurable through TFT Ad-bloking track protection Yes Root password configuration Yes, mandatory on first boot and later on TFT configuration panel Wifi password configuratio Yes, manadatory on first boot and later on TFT configuration panel Internal WIFI device without password or WEP encryption No