-
Notifications
You must be signed in to change notification settings - Fork 1
/
TorExit.txt
194 lines (159 loc) · 6.17 KB
/
TorExit.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
1.Enable Tor Package Repo.
- apt install apt-transport-https (APT over HTTPS)
# For the stable version.
deb https://deb.torproject.org/torproject.org <DISTRIBUTION> main
- apt install apt-transport-tor (APT over Tor)
# For the stable version.
deb tor://sdscoq7snqtznauu.onion/torproject.org <DISTRIBUTION> main
2. Add Tor GPG Key
- curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
- gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
3. Install Debian Keyring to keep the signing key current
- apt install deb.torproject.org-keyring
4. Install Tor
- apt install tor
*for apt update over tor, you have to start tor on the machine with client mode in order for the update tor work.
5. Set up torrc (not in this guide)
- go to /etc/tor and edit torrc
- you can use tor-relay.co to help you set up torrc
6.Install unbound DNS Server
-apt install unbound
7. Configure unbound (not in this guide)
- go to /etc/unbound/unbound.conf.d and setup your preffered config
- create a log folder under /etc/unbound and a file with the name unbound.log under it
- change ownership by chown -R unbound:unbound /etc/unbound/log
- nano /etc/apparmor.d/local/usr.sbin.unbound (fix permission)
- /etc/unbound/log/unbound.log rw, (put the path of the log file)
- apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound (reload)
8. Change default DNS setting
- cp /etc/resolv.conf /etc/resolv.conf.backup (backup original resolv.conf)
- rm /run/systemd/resolve/stub-resolv.conf (remove the default symlink)
- rm /etc/resolv.conf (remove the default file)
- echo nameserver 127.0.0.1 > /etc/resolv.conf (create a new one with local DNS server addr.)
- chattr +i /etc/resolv.conf (lock it from being changed)
* chattr -i /etc/resolv.conf (can be used to unlock it)
- lsattr resolv.conf (you can use lsattr to check the attribute)
- systemctl restart unbound (restart unbound)
9. Install nyx for monitoring
- apt install nyx
11. Drop privilege of Tor daemon afer start
- User debian-tor => add it to the end of your torrc
- chown -R debian-tor:debian-tor /etc/tor
12. Start Tor
- sudo Tor or see below for the startup script option
13. Monitoring
- nyx
- nyx config:
max_graph_width 700
show_interpreter false
show_torrc false
show_config false
graph_height 12
write_logs_to /home/ubuntu/.nyx/nyx.log
connection_order COUNTRY, IP_ADDRESS, UPTIME
- add the current user to the debian-tor group so nyx can be run as a normal user, not as root
usermod -a -G debian-tor ubuntu
14. Create Startup Script for Tor
- go to /etc/systemd/system
- run touch torr.service
- content of the file:
[Unit]
Description=Tor relay serivce
After=multi-user.target
After=network.target
After=systemd-user-sessions.service
After=network-online.target
[Service]
Type=forking
Environment="opt=-f /etc/tor/torrc"
ExecStart=/usr/bin/tor $opt
ExecStop=/usr/bin/tor
Restart=/bin/kill -2 $MAINPID
[Install]
WantedBy=multi-user.target
- enable the service
systemctl enable torr
14.1 Startup Script when Running 2 Tor Instances on the Same Machine (high capacity relays)
- repeat the steps as step 14
- but create two service files: torr.service torr1.service (the only difference is the torrc file location)
- content of torr.service:
[Unit]
Description=Tor relay serivce
After=multi-user.target
After=network.target
After=systemd-user-sessions.service
After=network-online.target
[Service]
Type=forking
Environment="opt=-f /etc/tor/torrc"
ExecStart=/usr/bin/tor $opt
ExecStop=/usr/bin/tor
Restart=/bin/kill -2 $MAINPID
[Install]
WantedBy=multi-user.target
- content of torr1.service:
[Unit]
Description=Tor relay serivce 1
After=multi-user.target
After=network.target
After=systemd-user-sessions.service
After=network-online.target
[Service]
Type=forking
Environment="opt=-f /etc/tor/torrc1"
ExecStart=/usr/bin/tor $opt
ExecStop=/usr/bin/tor
Restart=/bin/kill -2 $MAINPID
[Install]
WantedBy=multi-user.target
- run systemctl enable torr && systemctl enable torr1
- check their status by running systemctl status torr (or torr1)
14.2 Startup Script Dsniff (assuming you have dsniff installed)
- create a file called sniff.service in the same direcotry as indicated in the steps above
- content of sniff.service:
[Unit]
Description=Dsniff serivce
After=multi-user.target
After=network.target
After=systemd-user-sessions.service
After=network-online.target
[Service]
Type=simple
User=root
ExecStart=/etc/unbound/log/sniffService.sh
ExecStop=/bin/kill -2 $MAINPID
[Install]
WantedBy=multi-user.target
- content of sniffService.sh
#!/bin/bash
dsniff >> /etc/unbound/log/sniff.log
- make it executable
chmod +x sniffService.sh
- convert the DNS query log to lower case (lower.sh)
#!/bin/bash
cat unbound.log | tr '[:upper:]' '[:lower:]' > lower.log
- extract urls from the the DNS query (urlExtract.sh)
#!/bin/bash
cat lower.log | cut -d " " -f 5 > pureUrl.log
cat lower.log | cut -d " " -f 5 | sort | uniq > uniqUrl.log
cat url.log | cut -d '"' -f 2 | sort | uniq > url.log
- extract imap domain from the sniff log (imapDomain.sh)
#!/bin/bash
cat sniff.log | grep imap | cut -d " " -f 6 | sort | uniq
- extract pop domain from the sniff log (popDomain.sh)
#!/bin/bash
cat sniff.log | grep pop3 | cut -d " " -f 6 | sort | uniq
- monitor the DNS query (lowerMonit.sh)
#!/bin/bash
tail -f -n 100 unbound.log | tr '[:upper:]' '[:lower:]'
## Misc:
su -l userName (switch user and run non-root command)
passwd -l root (lock the root account by setting the password to expire)
driftnet -i [interface] -a -Z [user_name] -d [directory] (run drifnet -Z flag => drop to user with less privilege)
##Links
1. https://support.torproject.org/apt/tor-deb-repo/ (APT over HTTPS)
2. https://2019.www.torproject.org/docs/debian.html.en (APT over Tor)
3. https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/DebianUbuntu (Misc.)
4. https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#Parttwo:technicalsetup (Tor relay guide)
5. https://b4d.sablun.org/blog/2018-09-27-when-unbound-wont-write-logs/ (unbound permission)
6. https://www.google.com/url?sa=t&source=web&rct=j&url=https://tor.stackexchange.com/questions/13047/failed-to-bind-listening-port&ved=2ahUKEwi1m83Y6_XlAhVmwsQBHXm5CC8QFjAFegQIBRAC&usg=AOvVaw2-yTsA6bKL2OW6TwEohsZL (privilege dropping -> read the comment)