Running a Tor Exit, one week in

To update on my short experience as a Tor node operator, It’s been over a week now and in that week I made some changes.

First and foremost, since I’ve been online for a few days straight, I’ve been flagged by the Tor network as a “Stable” node. So now I’m processing traffic rather consistently. I’ve also been flagged as a “Guard“, meaning,”…each Tor client selects a few relays at random to use as entry points, and uses only those relays for her first hop”. More can be read about Guards here.

Secondly, I adjusted (increasing) how much of my bandwidth I’m willing to let Tor use.

RelayBandwidthRate 6000 KB
RelayBandwidthBurst 7500 KB

I’ve observed traffic peaks of 5 Megabytes a second, sending and receiving. This last Friday I noticed that I was passing a lot of traffic. It made me wonder if people are using Tor a lot more on Fridays.

As you can see, 8 Day(s), 19 Hour(s) in I’ve already relayed 1142.4 GiB.

Thirdly, I put up the standard “This is a Tor Exit Router” page on torexit.yawnbox.com.

Lastly, I am now allowing port 443 to pass HTTPS traffic. So here’s my updated Reduced Exit Policy:

ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy accept *:22  # ssh
ExitPolicy accept *:443 # https (HTTP via TLS)
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:993 # imaps (IMAP over SSL)
ExitPolicy accept *:994 # ircs (IRC over SSL)
ExitPolicy accept *:995 # pop3s (POP3 over SSL)
ExitPolicy reject *:* # no exits allowed

It turns out that in order to be flagged as an exit, the node needs to either be exiting ports 443 and 80 or 443 and 6667. And I’m being stubborn about only passing, ideally, encrypted traffic. However, not having the check-mark next to “Exit” on my Network Status page doesn’t mean that I’m not an exit– the Tor network certainly knows I’m exiting.

Props to everyone at the UW/Tor hack-fest. Absolutely brilliant people having the most interesting of conversations. I really enjoyed the two days I spent around them, soaking in as much as I could. It made me think critically about a number of problems that I hope to blog about soon.

Node Operator Notes

Reloading Tor instead of restarting it (the service) allows me to update my torrc file without disrupting traffic.

sudo /etc/init.d/tor reload

Also, I added two security features to help block annoying attacks. Make sure you’re familiar with how to use them.

sudo apt-get install -y fail2ban denyhosts

Installing and using Tomb in Ubuntu 11.10

My blurb about Tomb

Using encryption is important when you store personal information on general-purpose computers. Information can, and in general should, easily move about via inter-connected devices. Keeping your keyfiles separate from your encrypted container adds a useful layer of security. If ever your encrypted container is lost, stolen, or purposefully stored, it is a completely useless chunk of data without its keyfile and the keyfiles correlating password. Encrypted containers that have integrated keys also have the risk of being attacked via brute-force. With the evolution of processing power along with GPU-accelerated applications, and the decrease in cost of said processing, brute-forcing passwords gets easier every year.

Special note: TrueCrypt also supports the use of keyfiles.

Tomb website: http://www.dyne.org/software/tomb/
Tomb on Github: https://github.com/dyne/Tomb/

Note: This specific blog post is licensed as Creative Commons CC0 for the purpose of contributing to the Crypto.is project. You are free to copy, change, delete, or publish any part of this guide.

This guide is written to demonstrate how to:

1. Install Tomb in Ubuntu 11.10 x64
2. Create your first tomb
3. Securely move your tomb keyfile to a USB drive
4. Access and use your tomb
5. Securely delete your tomb

Installation

To install Tomb, follow the Crypto.is guide here (see: “Install from Debian Repository”): https://crypto.is/guides/install-tomb/

Verify installation

With your terminal open, verify that you have Tomb installed correctly via version check:

tomb -v

You should get this output:

Tomb - 1.2

Reference: http://www.dyne.org/software/tomb/

Creating a tomb

Before you begin, you can safely verify that your computer’s swap space is encrypted by trying to encrypt it. If you have swap space, and without the proper “–ignore-swap” flag, Tomb will not create your file and you will receive the following warning:

You have swap activated; use --ignore-swap if you want to skip this check
. Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk.
. However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check
. You seem to be using 1 swaps:
/dev/dm-0 partition 1234567 0 -1

Try encrypting your swap space if you have it:

sudo ecryptfs-setup-swap

Reference: https://help.ubuntu.com/community/EncryptedHome

You will get this warning if your swap space is already encrypted:

WARNING: [/dev/dm-0] already appears to be encrypted, skipping.
WARNING: There were no usable swap devices to be encrypted. Exiting.

Create a “test” tomb that is 2 Megabytes in size:

tomb create -s 2 test --ignore-swap

Enter your new password and again for verification. Remember, when creating a password for an encrypted container, a longer password is better than a more complicated password.

PartyLikeIts#1999ButIn@2012

…is better than:

fG#jg8-sm$db

…because a longer password, in general, takes longer to brute-force, presuming that your tomb and keyfile are together.

Moving your keyfile to a USB device

Copy, not move, your keyfile to your USB device:

sudo cp test.tomb.key /media/name-of-mounted-usb-device/

Shred the original keyfile to securely delete it:

sudo shred -f -v -z -u test.tomb.key

Reference: http://maketecheasier.com/ubuntu-how-to-delete-your-files-or-wipe-your-hard-drive-beyond-recovery/2008/02/14

Mounting your tomb

Remember that Tomb is a command-line utility, so even after mounting your tomb, you cannot access it using a GUI.

Mount your “test” tomb referencing the keyfile that is located on your USB drive:

tomb open test.tomb -k /media/name-of-mounted-usb-device/test.tomb.key --ignore-swap

Move a file over to your mounted tomb directory (into your tomb):

sudo mv /name-of-directory/name-of-file /media/test.tomb

Note: you can, of course, copy it over then shred the original.

Closing your tomb directory

Close your mounted tomb directory when you are done:

tomb slam

Deleting your tomb

If you ever need to delete your tomb, be sure to delete both the tomb and the keyfile:

sudo shred -f -v -z -u test.tomb
shred -f -v -z -u /media/name-of-mounted-usb-device/test.tomb.key

My first 24 hours as a Tor exit node

I setup a limited Tor exit node in my home yesterday by following @grahamking‘s guide for Ubuntu. Presently I’m using Ubuntu 11.10 x64 on a spare laptop. The laptop is HP/Compaq 6510b; not very powerful, but I wanted a low-power solution since it is running 24/7 in my home.

The basic steps

First I configured my A record for torexit.yawnbox.com. Then my static IP/hostname for the laptop (step 7 from this guide).

If I open my torrc file, these are the settings I uncommented or added:
vim /etc/tor/torrc

SocksPort 0 # what port to open for local application connections
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor
ORPort 9001
Nickname yawnbox
Address torexit.yawnbox.com
RelayBandwidthRate 2500 KB # Throttle traffic to 2500KB/s
RelayBandwidthBurst 5000 KB # But allow bursts up to 5000KB/s
ContactInfo Christopher Sheats
DirPort 9030 # what port to advertise for directory connections
DirPortFrontPage /etc/tor/tor-exit-notice.html
ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy accept *:22 # ssh
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:993 # imaps (IMAP over SSL)
ExitPolicy accept *:994 # ircs (IRC over SSL)
ExitPolicy accept *:995 # pop3s (POP3 over SSL)
ExitPolicy reject *:* # no exits allowed

I am only allowing ports that are intended for encrypted traffic. I am not yet allowing the standard IRC ports. Also, since this Tor exit node is in my home, I’m not comfortable with running a completely open node. After I figured out what ports I would be allowing, I configured the iptables firewall accordingly using UFW.

Bandwidth usage

I set the bandwidth at 2,500KB/s with 5,000KB/s burst. By browsing the Ubuntu Sofware Center I managed to find two easy to use bandwidth monitors. One for watching locally and one for watching remotely. In just over 24 hours, I have already sent/received 27 GB of traffic!

A GUI bandwidth monitor, KNemo
A command-line bandwidth monitor, BMon

Why am I running a Tor exit node from my home?

  1. I strongly support the notion of our right to read, no matter who is trying to stop us.
  2. I am paying for a fast Internet service that I don’t fully utilize 24/7
  3. I want to contribute to the Tor Project, especially after watching Roger Dingledine and Jacob Appelbaum (two “core people“) talk at 28C3 (YouTube video below)

Stream Dance via Ubuntu

These are some of my favorite Internet radio stations that I used to access via iTunes. And this setup is way easier to use.

I performed the following in Ubuntu 11.10 (Oneiric Ocelot) x64 to install Radio Tray:

sudo apt-get install radiotray gstreamer0.10-plugins-ugly

If you’re using Unity like me, be sure to select ‘app indicator‘ when Radio Tray asks.

Radio Tray >> Preferences >> Configure Radios…

Add the following streaming URLs:

One of the obvious benefits of streaming using Radio Tray is it will show you the song that is playing which is great for looking up an artist later. It also uses, like, 1000x less resources than iTunes.