Tor
Installation
If we don't want to install a binary package, we can compile it from source too. Install prerequisites, for Debian or Ubuntu:
sudo apt-get install automake libevent-dev zlib1g-dev libssl-dev docbook-xsl docbook-xml libxml2-utils xsltproc asciidoc
sudo yum install automake libevent-devel libssl-dev zlib-devel
Checkout the source:
git clone https://git.torproject.org/git/tor tor-git cd tor-git ./autogen.sh ./configure --prefix=/opt/tor --enable-gcc-warnings --enable-gcc-hardening --enable-linker-hardening --enable-systemd --disable-asciidoc --disable-html-manual make sudo make install
Note:
"--enable-linker-hardening"
will only work if the architecture supports it.[1]
"--enable-gcc-warnings"
might fail because of newer OpenSSL versions[2]) - try to use"--enable-gcc-warnings-advisory"
instead.
Set up tor user:
sudo useradd --home-dir /var/lib/tor --system --shell /usr/sbin/nologin --user-group tor sudo mkdir --mode=0700 --parents /var/{lib,log}/tor sudo chown tor:tor /var/{lib,log}/tor
Configuration
Relay
A relay is a listed (public) entry-relay.
$ cat torrc ORPort 9001 BridgeRelay 0 ExitPolicy reject *:* Nickname alice ContactInfo Alice alice@example.com RunAsDaemon 1 DataDirectory /var/lib/tor Log notice file /var/log/tor/notices.log RelayBandwidthRate 100 KBytes # Throttle traffic RelayBandwidthBurst 250 KBytes # But allow bursts MaxAdvertisedBandwidth 100 KBytes AccountingMax 50 GBytes AccountingStart week 1 00:00
Bridge relay
A bridge-relay is an unlisted entry-relay, replacing the first hop. Bridges are not listed publicly but are discovered by another process.
$ cat torrc ORPort 9001 BridgeRelay 1 ExitPolicy reject *:* Nickname alice ContactInfo Alice alice@example.com RunAsDaemon 1 DataDirectory /var/lib/tor Log notice file /var/log/tor/notices.log RelayBandwidthRate 100 KBytes # Throttle traffic RelayBandwidthBurst 250 KBytes # But allow bursts MaxAdvertisedBandwidth 100 KBytes AccountingMax 50 GBytes AccountingStart week 1 00:00
obfsproxy may be useful so that censored clients can connect to Tor. Install obfsproxy and add the following lines to torrc
:
ServerTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed ServerTransportListenAddr obfs2 0.0.0.0:20001 ServerTransportListenAddr obfs3 0.0.0.0:30001
The ServerTransportListenAddr
directive is optional but it can be useful to have static portnumbers, because they have to be opened (resp. port-forwarded) at the firewall.
Exit node
An exitnode is the last hop in the onion network. These nodes might be blocked by certain services and sometimes have to deal with legal issues too.
$ cat torrc ORPort 9001 BridgeRelay 0 # ExitPolicy reject *:* Nickname alice ContactInfo Alice alice@example.com RunAsDaemon 1 DataDirectory /var/lib/tor Log notice file /var/log/tor/notices.log RelayBandwidthRate 100 KBytes # Throttle traffic RelayBandwidthBurst 250 KBytes # But allow bursts MaxAdvertisedBandwidth 100 KBytes AccountingMax 50 GBytes AccountingStart week 1 00:00
Notes:
- The default ExitPolicy is documented in tor(1), a reduced ExitPolicy might be advisable though.
SOCKS-Proxy
Add the following Socks...
options to run a SOCKS-Server, where SOCKS-enabled clients (i.e. HTTP-proxies) can connect to:
SocksListenAddress 127.0.0.1:9050 SocksPolicy accept 10.0.0.0/24 SocksPolicy accept 127.0.0.1 SocksPolicy reject *:*
Add the following to the Privoxy config:
forward-socks5 / 127.0.0.1:9050 .
Or, for Polipo:
socksParentProxy = "127.0.0.1:9050" socksProxyType = socks5
Statistics
Add the following to allow Munin-plugins to connect to tor to gather statistics:[3]
ControlPort 9051 ControlListenAddress 127.0.0.1:9051 HashedControlPassword 16:D10B09C3D2D1F7E3603C6D86EA782D51300FCD5E2CA2552D6A08BE57AA
The password is generated with:
$ tor --hash-password s3cr3tp4ssw0rd 16:D10B09C3D2D1F7E3603C6D86EA782D51300FCD5E2CA2552D6A08BE57AA
Alternatively, one can use a CookieAuthFile[4] instead of a password:
CookieAuthentication 1 CookieAuthFile /var/lib/tor/control_auth_cookie
Hardening
Some hardening options[5] to consider when running under systemd:
[Service] LimitNOFILE = 32768 MemoryDenyWriteExecute = yes NoNewPrivileges = yes PrivateDevices = yes PrivateTmp = yes # PrivateUsers = yes ProtectControlGroups = yes ProtectHome = yes ProtectKernelModules = yes ProtectKernelTunables = yes ProtectSystem = strict ReadWriteDirectories = /var/lib/tor/ RestrictAddressFamilies = AF_INET AF_INET6 AF_UNIX RestrictNamespaces = yes # RuntimeDirectory = tor RuntimeDirectoryMode = 0700 # SystemCallFilter = ~@clock @cpu-emulation @keyring @module @mount @privileged @raw-io
Enable more options if needed.
Once running, let's check on the process' capabilities:[6]
$ grep Cap /proc/$(pgrep -x tor)/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 00000000000004c4 CapAmb: 0000000000000000
$ capsh --decode=00000000000004c4 0x00000000000004c4=cap_dac_read_search,cap_setgid,cap_setuid,cap_net_bind_service
nyx
The nyx (formerly arm
[8]) is a CLI status monitor for Tor:
sudo apt-get install nyx # Debian, Ubuntu sudo dnf install nyx # Fedora
nyx
needs DisableDebuggerAttachment
set to "0" in torrc
to function properly.[9][10]
sudo -u tor nyx
Links
- Tor Project: Anonymity Online / check.torproject.org / Metrics
- Tor Bridge Setup
- Tor on OpenWRT
- Java Anon Proxy
0 TCP N/A Downstream IPv4/IPv6 25 TCP SMTP Both IPv4/IPv6 67 UDP DHCP Downstream IPv4 135-139 TCP/UDP NetBios Both IPv4/IPv6 161 UDP SNMP Both IPv4/IPv6 445 TCP SMB Both IPv4/IPv6 520 UDP RIP Both IPv4 547 UDP DHCPv6 Downstream IPv6 1080 TCP SOCKS Downstream IPv4/IPv6 1900 UDP SSDP Both IPv4/IPv6
References
- ↑ Tor hardening at compile time
- ↑ Compiling tor against OpenSSL_1_0_2-stable
- ↑ Re: Munin plugins for Tor
- ↑ Document CookieAuthFile
- ↑ Use new systemd hardening options
- ↑ Linux capabilities 101
- ↑ How to find out what linux capabilities a process requires to work?
- ↑ Renaming arm
- ↑ Security enhancement against malware for Tor
- ↑ Giving users a notice when DisableDebuggerAttachment is set