You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
313 lines
12 KiB
313 lines
12 KiB
Here are some miscellaneous notes on using Tor and TorK:
|
|
|
|
|
|
What do I need to know about Tor/TorK?
|
|
|
|
First of all some don'ts:
|
|
* Don't use Tor/TorK for plaintext traffic such as POP3 (downloading emails)
|
|
or telnet. By doing so you are sending out username/password combinations that
|
|
some people harvest, e.g. http://tor.unixgu.ru.
|
|
* Don't mix 'anonymous' and 'non-anonymous' traffic in Tor. For example,
|
|
don't do some anonymous browsing and then log into hotmail during the same
|
|
'anonymous' Tor session. Why? Anyone listening on the tor network might put
|
|
two and two together and identify you. Better to keep Tor for 'anonymous'
|
|
tasks only.
|
|
Now some do's:
|
|
* Do run a Tor server if you can. Choose one of the server options TorK
|
|
provides. A 'Relay' server is an easy and hassle-free way to contribute to the
|
|
network. An 'Exit' server is the only one that involves putting your name to
|
|
other people's traffic.
|
|
* Do behave responsibly when using Tor. Try not to sink to the level of your
|
|
own government!
|
|
|
|
Finally:
|
|
Tor is developed and maintained by the people at http://tor.eff.org. They are
|
|
professionals. They're mostly from MIT. They know what they're doing. TorK is
|
|
developed and maintained by a hobbyist. From Ireland. In his spare time.
|
|
So: TorK probably has lots of faults the developer is not aware of or hasn't
|
|
fixed yet. If you spot them, let the poor sod know by clicking on Help ->
|
|
'Report Bug'.
|
|
|
|
What is 'Paranoid Mode'?
|
|
In TorK, you can switch between 'Paranoid' and 'Not-So-Paranoid' mode by
|
|
clicking on the icon of the toggling penguin-ghost. When in 'Paranoid Mode'
|
|
TorK/Tor will try to use a new identity for every new connection you make.
|
|
This helps mitigate the problem where you mix 'anonymous' and 'non-anonymous'
|
|
traffic in Tor. For example, if you do some anonymous browsing and then log
|
|
into hotmail during the same 'anonymous' Tor session anyone listening on the
|
|
tor network might put two and two together and identify you. Using different
|
|
identities for each connection will help reduce this problem. However,
|
|
'Paranoid Mode' is slow and you are probably better off just not mixing
|
|
'anonymous' and 'non-anonymous' activity in the first place.
|
|
|
|
Where is the paranoid button located?
|
|
Under the first tab ("Anonymize"), in the first section ("Welcome...", next to
|
|
the big onion icon), you will see the toggling ghost-penguin button followed
|
|
by a URL-like clickable link (mentioning the "paranoid mode").
|
|
Click on the icon itself to toggle between the two modes. Clicking the
|
|
URL-like clickable link next to it has another result, indeed. This was fixed
|
|
in the CVS (added the icon to the menu and toolbar).
|
|
Why can't Konqueror access the Internet through Tor?
|
|
Konqueror works just fine when I setup its proxies manually (from kcontrol).
|
|
Then I open Tork and it no longer works. It doesn't matter how I toggle Tork's
|
|
Konqueror button. Then I have to manually restore Konqueror's proxies (in
|
|
kcontrol), and Konqueror starts working again. That is, until I restart Tork,
|
|
when all this happens again.
|
|
|
|
|
|
Tor/TorK say my Tor server isn't reachable. What should I do?
|
|
To make your Tor server visible to the world, there are a number of things you
|
|
need to make sure are set up correctly.
|
|
|
|
Step One
|
|
Make sure your firewall is allowing traffic to Tor's server ports. These are
|
|
the commands I added to my own firewall script (the host my instance of Tor is
|
|
running on is 192.168.1.2):
|
|
# Allow Tor to go through
|
|
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
|
|
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
|
|
|
|
If you are wondering, 'Where's my firewall script?', then you should probably
|
|
create one. This is mine, for what it's worth (and that's not much):
|
|
#!/bin/bash
|
|
|
|
#Load modules
|
|
/sbin/modprobe ip_conntrack_ftp
|
|
/sbin/modprobe ip_conntrack_irc
|
|
|
|
#Flush old
|
|
iptables -F
|
|
iptables -t nat -F
|
|
iptables -t mangle -F
|
|
|
|
# Set policies
|
|
iptables -P FORWARD DROP
|
|
iptables -P OUTPUT ACCEPT
|
|
iptables -P INPUT DROP
|
|
|
|
# Allow loopback
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
|
|
|
|
# Allow Tor to go through
|
|
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
|
|
iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
|
|
|
|
|
|
#bittracker portforwarding
|
|
BTPORTS="7682 6881 6882 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
|
|
for pt in $BTPORTS; do
|
|
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport $pt -j ACCEPT
|
|
done
|
|
|
|
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
|
iptables -N Flood-Scan
|
|
iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan
|
|
iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN
|
|
iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: "
|
|
iptables -A Flood-Scan -j DROP
|
|
iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
|
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
|
iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT
|
|
iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
|
|
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
|
|
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
|
|
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j
|
|
ACCEPT
|
|
|
|
|
|
Save this to something like /etc/fwscript. Then do the following to the
|
|
file:
|
|
chmod +x /etc/fwscript
|
|
|
|
To have the firewall set up every time you turn on your Linux box, add it to
|
|
the local equivalent of your /etc/rc.d/rc.local file. If you don't know what
|
|
that is then I'm afraid you're going to have to find out yourself.
|
|
|
|
|
|
|
|
Step Two
|
|
If you have a broadband connection you may need to configure your router to
|
|
allow access to your Tor service. In most cases this means something like what
|
|
I had to do with my own Zyxel prestige router. The instructions that follow
|
|
are specific to my router but you should be able to do something similar with
|
|
your own:
|
|
|
|
|
|
robert@darkstar ~> telnet 192.168.1.1
|
|
Trying 192.168.1.1...
|
|
Connected to 192.168.1.1.
|
|
Escape character is '^]'.
|
|
|
|
Password:
|
|
|
|
Then I got this screen:
|
|
Copyright (c) 1994 - 2003 ZyXEL Communications Corp.
|
|
|
|
Prestige 623R-T1 Main Menu
|
|
|
|
Getting Started Advanced Management
|
|
1. General Setup 21. Filter Set Configuration
|
|
3. LAN Setup 22. SNMP Configuration
|
|
4. Internet Access Setup 23. System Password
|
|
24. System Maintenance
|
|
Advanced Applications 25. IP Routing Policy Setup
|
|
11. Remote Node Setup 26. Schedule Setup
|
|
12. Static Routing Setup
|
|
15. NAT Setup
|
|
99. Exit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Enter Menu Selection Number: 15
|
|
|
|
I selected 'NAT Setup'.
|
|
|
|
|
|
|
|
|
|
Menu 15 - NAT Setup
|
|
|
|
1. Address Mapping Sets
|
|
2. NAT Server Sets
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Enter Menu Selection Number:2
|
|
|
|
I selected 'NAT Server Sets'.
|
|
|
|
|
|
Menu 15.2 - NAT Server Sets
|
|
|
|
1. Server Set 1 (Used for SUA Only)
|
|
2. Server Set 2
|
|
3. Server Set 3
|
|
4. Server Set 4
|
|
5. Server Set 5
|
|
6. Server Set 6
|
|
7. Server Set 7
|
|
8. Server Set 8
|
|
9. Server Set 9
|
|
10. Server Set 10
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Enter Set Number to Edit: 1
|
|
|
|
I selected the first one.
|
|
|
|
|
|
Menu 15.2 - NAT Server Setup
|
|
|
|
|
|
|
|
Rule Start Port No. End Port No. IP Address
|
|
---------------------------------------------------
|
|
1. Default Default 0.0.0.0
|
|
2. 0 0 0.0.0.0
|
|
3. 9031 9031 192.168.1.2
|
|
4. 9001 9001 192.168.1.2
|
|
5. 0 0 0.0.0.0
|
|
6. 0 0 0.0.0.0
|
|
7. 0 0 0.0.0.0
|
|
8. 0 0 0.0.0.0
|
|
9. 0 0 0.0.0.0
|
|
10. 0 0 0.0.0.0
|
|
11. 0 0 0.0.0.0
|
|
12. 0 0 0.0.0.0
|
|
|
|
Press ENTER to Confirm or ESC to Cancel:
|
|
|
|
|
|
As you might guess the address of my pc is 192.168.1.2 and I'm running my Tor
|
|
ORPort on 9001 and my Tor DirPort on 9031.You're probably doing the same.
|
|
That's it. Save your changes and exit the telnet session with the router.
|
|
|
|
Step Three
|
|
Your Tor server should now be reachable - unless you (or your distro) have
|
|
done something exotic with your hosts.allow and hosts.deny files. Try starting
|
|
your Tor server again from TorK and see what happens. If you are still
|
|
experiencing problems try the Tor FAQ Entry for more possibilities.
|
|
How do I use TorK to anonymize applications?
|
|
The 'Anonymize' tab allows you to launch 'anonymized' instances of various
|
|
applications with a single click.
|
|
How can I be sure it's working?
|
|
In the miniview, you should see the sites you are connecting to in their 'raw'
|
|
form. For example, if you launched an 'Anonymous SSH session' and have typed
|
|
the following in konsole:
|
|
ssh me@my.shell.net
|
|
|
|
You should see 'my.shell.net' in the miniview and not my.shell.net's IP
|
|
address. If you see an IP address, that means your system has bypassed Tor to
|
|
get the IP address for my.shell.net. This is a problem if you think someone
|
|
might be using your domain name lookups to track your internet activity. If
|
|
you are having this problem, you should delete all instance of libtsocks.so on
|
|
your system and re-install TorK, that should ensure the correct library is
|
|
being called to route all traffic through Tor.
|
|
How is it meant to work?
|
|
TorK uses two helper applications: 1. 'torify', a shell script installed with
|
|
Tor; and 2. 'tsocks' a utility bundled and installed with TorK that ensures
|
|
the application goes through Tor anonymously.
|
|
OK, how does it really work?
|
|
TorK launches the following command:
|
|
torify name-of-your-app-here.
|
|
|
|
The torify script calls a script called tsocks. This loads the libtsocks.so
|
|
library dynamically linked to the application at runtime. The libtsocks.so
|
|
library intercepts all of the application's TCP/IP calls and routes them
|
|
through Tor, i.e. uses Tor as a SOCKS proxy.
|
|
This tsocks, it's the one available at http://tsocks.sf.net right?
|
|
No, it's a version of that one patched to intercept domain name resolutions as
|
|
well as all other traffic. See this entry in the Tor FAQ to understand why
|
|
this is desirable.
|
|
|
|
|
|
Security/Anonymity FAQs
|
|
Is Tor more secure than ordinary internet use?
|
|
No. In some ways it's less secure (though this is just an opinion).
|
|
Let me explain: The Tor network contains known eavesdroppers. These
|
|
eavesdroppers are servers on the network that act as exit nodes (points in the
|
|
Tor network where your traffic pops back out onto the internet proper). If you
|
|
use plaintext authentication (e.g. type a name/password into a website that is
|
|
not using a secure connection) and are using an eavesdropper as your exit
|
|
node, that exit node can capture your username/password.
|
|
But isn't there a risk of this happening in the ordinary internet anyway?
|
|
Yes, of course there is. However, you do not know (for a fact) that there are
|
|
computers listening to your ordinary internet connection - but you do know
|
|
(now) that there are servers on the Tor network listening to traffic. And they
|
|
could listen to yours if you do not behave securely. Put simply: Tor has a
|
|
specific layer of exposure that is easily accessible to anyone who is
|
|
interested in it. That is not true of non-Tor traffic.
|
|
This is not a widely accepted opinion, to paraphrase Nigel Tufnell 'it's a
|
|
fine line between paranoid and stupid', so for more info see:
|
|
|
|
Tor Eavesdropping FAQ
|
|
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1
|
|
|
|
Where are all the other Security/Anonymity answers?
|
|
I'll leave that to the experts:
|
|
|
|
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ |