Tor
Tor is, to put it simply, the world's largest anonymity service. Relied on by many, the Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security while using the Internet.
Contents
Installation
Debian
To install Tor on Debian stable, Debian sid, or Debian testing, simply execute the following:
# apt-get install tor
|
Ubuntu
The Ubuntu repositories do not always have the most up-to-date versions of Tor. It is recommended that you use the official Tor Project repository or compile from source. To use the Tor Project's official repository, you need to add the following to /etc/apt/sources.list:
deb http://deb.torproject.org/torproject.org jessie main deb-src http://deb.torproject.org/torproject.org jessie main |
Next, you must add the Tor Project's GPG key used to sign the Tor packages:
gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - |
Now, you are able to install Tor from the official repository using:
# apt-get update # apt-get install tor deb.torproject.org-keyring |
Fedora/RHEL
This section is applicable to Fedora 22/23 and RHEL 6/7. The repositories in these distributions are frequently out-of-date. It is strongly recommended to use the Tor Project's official repository or compile from source.
To use the Tor Project's official repository, first, you must create /etc/yum.repos.d/tor.repo and insert the following:
[tor] name=Tor repo enabled=1 baseurl=https://deb.torproject.org/torproject.org/rpm/DISTRIBUTION/$basearch/ ##replace DISTRIBUTION with correct version (fc/22, fc/23, el/6, el/7) gpgcheck=1 gpgkey=https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc repo_gpgcheck=1 [tor-source] name=Tor source repo enabled=1 autorefresh=0 baseurl=https://deb.torproject.org/torproject.org/rpm/DISTRIBUTION/SRPMS ##replace DISTRIBUTION with correct version (fc/22, fc/23, el/6, el/7) gpgcheck=1 gpgkey=https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc repo_gpgcheck=1 |
Next, you need to take care of a name clash in the repos to avoid the two packages from overwriting each other. To do this, add Exclude=tor to the relevant repo file.
For example, you may need to add Exclude=tor to the /etc/yum.repos.d/fedora.repo and /etc/yum.repos.d/fedora-updates.repo.
Next, install tor by executing:
# yum install tor # service start tor |
Gentoo
# emerge tor
|
Arch Linux
# pacman -S tor
|
Compile from Source
First, grab the Tor Source Code and verify you have the required dependencies including libevent, openssl, and the zlib packages.
After, extract and compile the source by executing:
# tar xzf tor-0.2.7.6.tar.gz; cd tor-0.2.7.6 # ./configure && make # make install |
How It Works
One takes a big chance using Tor. While privacy isn't guaranteed, anonymity can be if one changes their habits.
Tor originally stood for "The Onion Router". How Tor essentially works is, traffic gets wrapped in multiple layers of encryption, passes from the initial box to the first node in the chain where traffic gets decrypted once, and passed to the next node. It then gets decrypted again and passed to the exit node from where decryption occurs the last time, and routes traffic in the clear. Due to these multiple layers of encryption, each node only knows the last hop and the next hop in the chain.
Tor bridges are basically unofficial entry points into the tor network which are utilized by users in locations around the world, espcially in heavily oppressed and monitored countries (ie. China), in order to access Tor. This is because a vast majority of the official nodes are banned or traffic is heavily monitored.
Common Pitfalls
The onion structure undoubtedly has issues. Such problems can be read in a comical form here.
Without clicking links, exit node operators can sniff the traffic that passes through. Some operators choose to do so, and for this reason, it should be assumed that all Tor traffic is being monitored, and therefore, always use some form of end to end encryption such as sshing into a box over Tor.
Transparent Proxy
What is a transparent proxy? A transparent proxy forces all your outbound traffic through a proxy of your choosing, Tor is perfect for using this and we will cover setting one up in this section.
First we will need to add these four lines to the end of your torrc found at /etc/tor/torrc on most systems.
VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 DNSPort 5353 |
Now for our iptables rules to force all traffic through Tor:
#!/bin/bash _non_tor="192.168.1.0/24 192.168.0.0/24" _tor_uid="43" _trans_port="9040" iptables -F iptables -t nat -F iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 #allow clearnet access for hosts in $_non_tor for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do iptables -t nat -A OUTPUT -d $_clearnet -j RETURN done iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT for _clearnet in $_non_tor 127.0.0.0/8; do iptables -A OUTPUT -d $_clearnet -j ACCEPT done iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT iptables -A OUTPUT -j REJECT iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP |
The Tor UID varies from system to system and one of the easiest ways to find it is by running:
$ grep tor /etc/passwd |
Be sure to save the config above to rules.sh in your home folder.
Now once you have done all that (saved Tor configuration, saved iptables rules to a file) you will need to run:
$ killall -HUP tor |
Which restarts tor and:
$ chmod +x rules.sh $ ./rules.sh |
This sets the iptables rules and you should now be properly transparently proxying all your traffic through Tor. One thing you must think about is whether the router or network you are connecting to is IPv6 only, since Tor traffic only is IPv4, the iptables rules won't apply on IPv6 traffic, thus leaking this traffic you think is going through Tor to the clearnet. It's highley recommended to disable IPv6 at the kernel level by modifying config.x86_64 and commenting out all the IPv6 entries or by excluding it through "make menuconfig"
make menuconfig:
Networking Support ==> Networking Options ==> The IPv6 Protocol
Hit the "n" key to exclude it and continue building your kernel.
Hidden services
When a user connects to a clearnet website via Tor, the connection, in general, looks like:
you -> tor node 1 -> tor node 2 -> exit node -> internet
However, when a user connects to a Tor Hidden Service, the connection route looks like:
you -> arbitrary # nodes -> rendezvous <- arbitrary # nodes <- hs box
Hidden services use .onion as a pseudo-tld. An example being the hidden wiki at http://kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page .onion is a way of describing a hidden service without giving away its location. The string before the .onion is actually a key fingerprint, which ensures the service cannot be found, and it has the expected private key.
Configuration
Assuming that you have Tor configured correctly and running, you are ready to set up your Tor Hidden Service.
First, make sure that your web server, or whatever other service you are going to host, is running and configured correctly. (These examples will be geared towards a web server).
Next, add the following to lines to /etc/tor/torrc:
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80 |
After restarting the Tor service, you will have to files in the /var/lib/tor/hidden_service/ directory: hostname and private_key.
The hostname file will contain the .onion address to access your service. The private_key will contain the private key used to generate your .onion address. Do NOT lose your private key, otherwise, anybody can steal your .onion address.
You can also host more than one service on your server and have a different .onion address for each service. For example, to host IRC and SSH on another onion, add the following to your /etc/tor/torrc:
HiddenServiceDir /var/lib/tor/other_hidden_service/ HiddenServicePort 6667 127.0.0.1:6667 HiddenServicePort 22 127.0.0.1:22 |
ControlPort
|
The ControlPort is a port you can open to allow a service to connect and control the Tor Process. The ControlPort is disabled by default but can be enabled by entering the following into your /etc/tor/torrc:
ControlPort 9051
|
To connect to the ControlPort:
telnet 127.0.0.1:9051 authenticate "" |
HidServAuth
|
|
Theory
|
|
Issues
|
|
- Sniper Attack
One de-anonymization attack that Hidden Services are vulnerable to is the Sniper Attack. Operation Onymous, probably being the most famous, is theorized to use a type of attack where exit nodes were taken offline via denial of service attacks. This forced users onto nodes controlled by law enforcement,
- Correlation Attack
One of the pitfalls with Hidden Services is a correlation attack. If someone controls enough nodes, they can send enough traffic to the hidden service to find its location. The best way to help prevent this is to make the hidden service a Tor node as well. At that point, it passes non-hs traffic and keeps anonymity static.
- Badmin
