Debian Tor Relay

From trapsink.com
Jump to: navigation, search


Server Installation

Spin up a basic Debian 8 (Jessie) 64bit cloud instance; the use of inexpensive cloud instances from Digital Ocean are perfect for this type of project. Only basic networking with minimal disk and memory is required, these pre-prepared cloud installations of Debian 8 are ready to go with only a minor bit of work.

Be Careful of Costs - Cloud providers typically charge for time spent running (uptime) plus bandwidth charges. Research costs carefully and ensure the RelayBandwidthRate is configured to meet your budget. Shop around cloud providers to get the best bang for your buck - low uptime and low bandwidth charges are the key factors for a tor node.

The below instructions have been tested on a Digital Ocean standard Debian 8 instance.


Server Hardening

1. Install a few basic packages to make life a little nicer; typically the cloud instances are stripped down and need a few things added, both for security and ease of use. Adjust as needed, at a minimum ensure the below are in place:

apt-get update
apt-get install sysstat unattended-upgrades iptables-persistent fail2ban chrony vim-nox iftop sudo -y


2. Enable sysstat for ongoing statistics capture of your instance (use sar to view):

sed -i.bak -e 's|^ENABLED=".*"|ENABLED="true"|g' /etc/default/sysstat


3. Enable unattended-upgrades to ensure that all Security updates are applied:

cat << 'EOF' > /etc/apt/apt.conf.d/02periodic 
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
EOF


4. Enable the basic iptables rules to allow only ports 22, 80 and 443:

cat << 'EOF' > /etc/iptables/rules.v4
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
EOF

cat << 'EOF' > /etc/iptables/rules.v6
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p ipv6-icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
EOF


5. Configure fail2ban to keep an eye on the SSH port for brute force attacks:

cat << 'EOF' > /etc/fail2ban/jail.local
[DEFAULT]
ignoreip  = 127.0.0.1/8
bantime   = 600
maxretry  = 3
backend   = auto
destemail = root@localhost

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
EOF


6. Finally, ensure all the services are enabled and apply all outstanding updates; reboot as needed for a new kernel. If you don't reboot here, you'll need to service foo restart each one individually:

systemctl disable remote-fs.target
systemctl enable sysstat unattended-upgrades iptables-persistent fail2ban chrony

apt-get upgrade -y

reboot


Tor Installation

Add the upstream repository to the server, install the GPG key and tor itself. The tor-arm package provides an interesting console interface for the daemon. (run arm later on to see it)

echo "deb http://deb.torproject.org/torproject.org jessie main" > \
  /etc/apt/sources.list.d/tor.list 

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

apt-get update
apt-get install deb.torproject.org-keyring -y
apt-get install tor tor-arm -y

systemctl stop tor


Tor Setup

Edit the /etc/tor/torrc configuration to set up the basic parameters; this config file's comments are parsed by the arm utility, so don't be tempted to just replace it with the below - hand edit is recommended to preserve the comments.

1 TB/month is roughly 400 KB/s sustained bandwidth

We will configure bandwidth to 300 KB/s normal and 350 KB/s burst to keep our cloud bandwidth charges in check, and ports 443 and 80 - maximum compatibility for persons in locations with strict ACLs on their network traffic. Choose Nickname wisely, it's how others will refer to your node in public. Be careful with ContactInfo and protect yourself from spammers!

# egrep -v "^(#|$)" /etc/tor/torrc
RunAsDaemon 1
ORPort 443
Address <server IP address>
Nickname <your relay nickname>
RelayBandwidthRate 300 KB
RelayBandwidthBurst 350 KB
ContactInfo <your contact info>
DirPort 80
DirPortFrontPage /etc/tor/index.html
ExitPolicy reject *:*


Copy over the HTML man page to display on port 80 (see DirPortFrontPage above), ensure it's set to start on reboot and get it running:

cp /usr/share/doc/tor/tor.html /etc/tor/index.html
systemctl enable tor
systemctl restart tor


Tor Backup

Preserve a copy of your Tor node information; this is needed if you have to rebuild or move the node and want to retain the same history in the community:

cp /var/lib/tor/fingerprint /root/tor.fingerprint
cp /var/lib/tor/keys/secret_id_key /root/tor.secret_id_key


Download those two files from the cloud instance and put them in a safe place in your normal backups. The first has one line (nickname and 40-hex char ID), the second is a RSA key.


Final Checks

Wait an hour or two, then use one (or both) of the below links to search for your relay's nickname:


Once it's showing up as expected and you're happy with the results, submit your relay to the EFF Tor Challenge and sign up via Tor Weather to keep an eye on it:


References