You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tork/USINGTORK

313 lines
12 KiB

Here are some miscellaneous notes on using Tor and TorK:
What do I need to know about Tor/TorK?
First of all some don'ts:
* Don't use Tor/TorK for plaintext traffic such as POP3 (downloading emails)
or telnet. By doing so you are sending out username/password combinations that
some people harvest, e.g. http://tor.unixgu.ru.
* Don't mix 'anonymous' and 'non-anonymous' traffic in Tor. For example,
don't do some anonymous browsing and then log into hotmail during the same
'anonymous' Tor session. Why? Anyone listening on the tor network might put
two and two together and identify you. Better to keep Tor for 'anonymous'
tasks only.
Now some do's:
* Do run a Tor server if you can. Choose one of the server options TorK
provides. A 'Relay' server is an easy and hassle-free way to contribute to the
network. An 'Exit' server is the only one that involves putting your name to
other people's traffic.
* Do behave responsibly when using Tor. Try not to sink to the level of your
own government!
Finally:
Tor is developed and maintained by the people at http://tor.eff.org. They are
professionals. They're mostly from MIT. They know what they're doing. TorK is
developed and maintained by a hobbyist. From Ireland. In his spare time.
So: TorK probably has lots of faults the developer is not aware of or hasn't
fixed yet. If you spot them, let the poor sod know by clicking on Help ->
'Report Bug'.
What is 'Paranoid Mode'?
In TorK, you can switch between 'Paranoid' and 'Not-So-Paranoid' mode by
clicking on the icon of the toggling penguin-ghost. When in 'Paranoid Mode'
TorK/Tor will try to use a new identity for every new connection you make.
This helps mitigate the problem where you mix 'anonymous' and 'non-anonymous'
traffic in Tor. For example, if you do some anonymous browsing and then log
into hotmail during the same 'anonymous' Tor session anyone listening on the
tor network might put two and two together and identify you. Using different
identities for each connection will help reduce this problem. However,
'Paranoid Mode' is slow and you are probably better off just not mixing
'anonymous' and 'non-anonymous' activity in the first place.
Where is the paranoid button located?
Under the first tab ("Anonymize"), in the first section ("Welcome...", next to
the big onion icon), you will see the toggling ghost-penguin button followed
by a URL-like clickable link (mentioning the "paranoid mode").
Click on the icon itself to toggle between the two modes. Clicking the
URL-like clickable link next to it has another result, indeed. This was fixed
in the CVS (added the icon to the menu and toolbar).
Why can't Konqueror access the Internet through Tor?
Konqueror works just fine when I setup its proxies manually (from kcontrol).
Then I open Tork and it no longer works. It doesn't matter how I toggle Tork's
Konqueror button. Then I have to manually restore Konqueror's proxies (in
kcontrol), and Konqueror starts working again. That is, until I restart Tork,
when all this happens again.
Tor/TorK say my Tor server isn't reachable. What should I do?
To make your Tor server visible to the world, there are a number of things you
need to make sure are set up correctly.
Step One
Make sure your firewall is allowing traffic to Tor's server ports. These are
the commands I added to my own firewall script (the host my instance of Tor is
running on is 192.168.1.2):
# Allow Tor to go through
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
If you are wondering, 'Where's my firewall script?', then you should probably
create one. This is mine, for what it's worth (and that's not much):
#!/bin/bash
#Load modules
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
#Flush old
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Set policies
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow Tor to go through
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
#bittracker portforwarding
BTPORTS="7682 6881 6882 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
for pt in $BTPORTS; do
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport $pt -j ACCEPT
done
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
iptables -N Flood-Scan
iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan
iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN
iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: "
iptables -A Flood-Scan -j DROP
iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j
ACCEPT
Save this to something like /etc/fwscript. Then do the following to the
file:
chmod +x /etc/fwscript
To have the firewall set up every time you turn on your Linux box, add it to
the local equivalent of your /etc/rc.d/rc.local file. If you don't know what
that is then I'm afraid you're going to have to find out yourself.
Step Two
If you have a broadband connection you may need to configure your router to
allow access to your Tor service. In most cases this means something like what
I had to do with my own Zyxel prestige router. The instructions that follow
are specific to my router but you should be able to do something similar with
your own:
robert@darkstar ~> telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
Password:
Then I got this screen:
Copyright (c) 1994 - 2003 ZyXEL Communications Corp.
Prestige 623R-T1 Main Menu
Getting Started Advanced Management
1. General Setup 21. Filter Set Configuration
3. LAN Setup 22. SNMP Configuration
4. Internet Access Setup 23. System Password
24. System Maintenance
Advanced Applications 25. IP Routing Policy Setup
11. Remote Node Setup 26. Schedule Setup
12. Static Routing Setup
15. NAT Setup
99. Exit
Enter Menu Selection Number: 15
I selected 'NAT Setup'.
Menu 15 - NAT Setup
1. Address Mapping Sets
2. NAT Server Sets
Enter Menu Selection Number:2
I selected 'NAT Server Sets'.
Menu 15.2 - NAT Server Sets
1. Server Set 1 (Used for SUA Only)
2. Server Set 2
3. Server Set 3
4. Server Set 4
5. Server Set 5
6. Server Set 6
7. Server Set 7
8. Server Set 8
9. Server Set 9
10. Server Set 10
Enter Set Number to Edit: 1
I selected the first one.
Menu 15.2 - NAT Server Setup
Rule Start Port No. End Port No. IP Address
---------------------------------------------------
1. Default Default 0.0.0.0
2. 0 0 0.0.0.0
3. 9031 9031 192.168.1.2
4. 9001 9001 192.168.1.2
5. 0 0 0.0.0.0
6. 0 0 0.0.0.0
7. 0 0 0.0.0.0
8. 0 0 0.0.0.0
9. 0 0 0.0.0.0
10. 0 0 0.0.0.0
11. 0 0 0.0.0.0
12. 0 0 0.0.0.0
Press ENTER to Confirm or ESC to Cancel:
As you might guess the address of my pc is 192.168.1.2 and I'm running my Tor
ORPort on 9001 and my Tor DirPort on 9031.You're probably doing the same.
That's it. Save your changes and exit the telnet session with the router.
Step Three
Your Tor server should now be reachable - unless you (or your distro) have
done something exotic with your hosts.allow and hosts.deny files. Try starting
your Tor server again from TorK and see what happens. If you are still
experiencing problems try the Tor FAQ Entry for more possibilities.
How do I use TorK to anonymize applications?
The 'Anonymize' tab allows you to launch 'anonymized' instances of various
applications with a single click.
How can I be sure it's working?
In the miniview, you should see the sites you are connecting to in their 'raw'
form. For example, if you launched an 'Anonymous SSH session' and have typed
the following in konsole:
ssh me@my.shell.net
You should see 'my.shell.net' in the miniview and not my.shell.net's IP
address. If you see an IP address, that means your system has bypassed Tor to
get the IP address for my.shell.net. This is a problem if you think someone
might be using your domain name lookups to track your internet activity. If
you are having this problem, you should delete all instance of libtsocks.so on
your system and re-install TorK, that should ensure the correct library is
being called to route all traffic through Tor.
How is it meant to work?
TorK uses two helper applications: 1. 'torify', a shell script installed with
Tor; and 2. 'tsocks' a utility bundled and installed with TorK that ensures
the application goes through Tor anonymously.
OK, how does it really work?
TorK launches the following command:
torify name-of-your-app-here.
The torify script calls a script called tsocks. This loads the libtsocks.so
library dynamically linked to the application at runtime. The libtsocks.so
library intercepts all of the application's TCP/IP calls and routes them
through Tor, i.e. uses Tor as a SOCKS proxy.
This tsocks, it's the one available at http://tsocks.sf.net right?
No, it's a version of that one patched to intercept domain name resolutions as
well as all other traffic. See this entry in the Tor FAQ to understand why
this is desirable.
Security/Anonymity FAQs
Is Tor more secure than ordinary internet use?
No. In some ways it's less secure (though this is just an opinion).
Let me explain: The Tor network contains known eavesdroppers. These
eavesdroppers are servers on the network that act as exit nodes (points in the
Tor network where your traffic pops back out onto the internet proper). If you
use plaintext authentication (e.g. type a name/password into a website that is
not using a secure connection) and are using an eavesdropper as your exit
node, that exit node can capture your username/password.
But isn't there a risk of this happening in the ordinary internet anyway?
Yes, of course there is. However, you do not know (for a fact) that there are
computers listening to your ordinary internet connection - but you do know
(now) that there are servers on the Tor network listening to traffic. And they
could listen to yours if you do not behave securely. Put simply: Tor has a
specific layer of exposure that is easily accessible to anyone who is
interested in it. That is not true of non-Tor traffic.
This is not a widely accepted opinion, to paraphrase Nigel Tufnell 'it's a
fine line between paranoid and stupid', so for more info see:
Tor Eavesdropping FAQ
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1
Where are all the other Security/Anonymity answers?
I'll leave that to the experts:
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ