Category Archives: The Tor Project

Tuning a fast Tor relay (0.3.5.3-alpha) on Ubuntu 18.04

Rule: don’t enable iptables / ufw

as root:

ip link set eth0 txqueuelen 300000

These are just temporary:

sysctl -w fs.file-max=65535
sysctl -w net.core.optmem_max=25165824
sysctl -w net.core.netdev_max_backlog=65536
sysctl -w net.core.rmem_default=25165824
sysctl -w net.core.rmem_max=25165824
sysctl -w net.core.somaxconn=20480
sysctl -w net.core.wmem_default=25165824
sysctl -w net.core.wmem_max=25165824
sysctl -w net.ipv4.ip_local_port_range='1024 65535'
sysctl -w net.ipv4.route.flush=1
sysctl -w net.ipv4.tcp_congestion_control=cubic
sysctl -w net.ipv4.tcp_fin_timeout=15
sysctl -w net.ipv4.tcp_keepalive_intvl=15
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=1200
sysctl -w net.ipv4.tcp_max_syn_backlog=65536
sysctl -w net.ipv4.tcp_max_tw_buckets=1440000
sysctl -w net.ipv4.tcp_mem='65536 131072 262144'
sysctl -w net.ipv4.tcp_moderate_rcvbuf=1
sysctl -w net.ipv4.tcp_mtu_probing=1
sysctl -w net.ipv4.tcp_no_metrics_save=1
sysctl -w net.ipv4.tcp_rfc1337=1
sysctl -w net.ipv4.tcp_rmem='20480 12582912 25165824'
sysctl -w net.ipv4.tcp_synack_retries=2
sysctl -w net.ipv4.tcp_tw_recycle=1
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_window_scaling=1
sysctl -w net.ipv4.tcp_wmem='20480 12582912 25165824'
echo "* soft nproc 65535" >> /etc/security/limits.conf
echo "* hard nproc 65535" >> /etc/security/limits.conf
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "root soft nproc 65535" >> /etc/security/limits.conf
echo "root hard nproc 65535" >> /etc/security/limits.conf
echo "root soft nofile 65535" >> /etc/security/limits.conf
echo "root hard nofile 65535" >> /etc/security/limits.conf
echo "session required pam_limits.so" >> /etc/pam.d/common-session
shutdown -r now

A+ TLS config for ubuntu + nginx

These are my config notes for getting a brand new Xenial + nginx server online.

Install Tor:

sudo apt install tor apt-transport-tor
sudo gpg --keyserver keys.gnupg.net --recv 886DDD89

sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Edit the sources list by removing all the lines and adding these:

sudo vim /etc/apt/sources.list
deb tor+https://deb.torproject.org/torproject.org xenial main
deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse

Update the repos:

sudo add-apt-repository ppa:nginx/development
sudo add-apt-repository ppa:ondrej/nginx
sudo add-apt-repository ppa:ondrej/php
sudo add-apt-repository ppa:certbot/certbot

Add “tor+” to all of the above sources files in /etc/apt/sources.list.d/*

Update and restart:

sudo apt update && sudo apt upgrade -V && sudo apt autoremove -y && sudo shutdown -r now

Install nginx + certbot:

sudo apt install python-certbot-nginx -V

Add server_name to (replacing “_”):

sudo vim /etc/nginx/sites-available/default
server_name domain.net;

Get Let’s Encrypt cert for nginx:

sudo certbot --nginx -d domain.net --redirect --rsa-key-size 4096

Further harden the TLS config:

sudo vim /etc/letsencrypt/options-ssl-nginx.conf
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!3DES:!aNULL:!DES:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!PSK:!RC4:!SEED";

Delete the “SSL” config:

sudo vim /etc/nginx/nginx.conf

Edit the nginx config:

sudo vim /etc/nginx/sites-available/default

replace “domain.net”

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name domain.net www.domain.net;
        return 301 https://$host$request_uri;

        server_tokens off;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer";
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name domain.net www.domain.net;
        root /var/www;
        index index.php index.html index.htm;

        ssl_certificate /etc/letsencrypt/live/domain.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain.net/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        server_tokens off;
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer";

        resolver 8.8.8.8 8.8.4.4 valid=300s;

# For WordPress

        location / {
        try_files $uri $uri/ /index.php?$args;
        }

        location ~ .php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

Validate the nginx config:

sudo nginx -t

Restart nginx:

sudo service nginx restart

Add inbound and outbound firewall rules:

sudo ufw limit 22/tcp && sudo ufw allow 443/tcp && sudo ufw allow out 22/tcp && sudo ufw allow out 25/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 443/tcp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose

Emerald Onion has launched

The Tor network and the dot-Onion infrastructure was built for security and privacy in mind. This is unlike legacy clear-net infrastructure, which over the years needs routine and dramatic security changes just to solve evolving security chalenges. Even worse, modern security for legacy clear-net infrastructure does very little for privacy.

Vulnerable populations were the first to recognize the importance of a technology like “the onion router”. The United States Navy was among the first. The United States Navy, realizing very quickly that an anonymity network that only the Navy would use, means that any of its users is from the United States Navy. To this day, the United States Navy researches and develops Tor.

Once Tor became a public, free, and open source project, journalists and other vulnerable populations with life-and-death threat models started using Tor. These survivors and human-rights defenders were a red flag. By the time Tor became a public project, other departments from the United States Government, such as the United States National Security Agency, had already started conducting global mass surveillance.

The United States Navy knew and continues to know that Tor is a necessity in a world dominated by global mass surveillance and by governments that strive for power and control.

Emerald Onion envisions a world where access and privacy are the defaults. This is necessary to ensure human rights including access to information and freedom of speech. If we do not have human rights online, we will not have them offline, either. We launched, officially, on July 2nd. We are looking at 10 year+ development and sustainability. Please reach out to me if you can think of ways to support our work.

Briar is in public beta

What is Briar?

Briar is a messaging app designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate. Unlike traditional messaging tools such as email, Twitter or Telegram, Briar doesn’t rely on a central server – messages are synchronized directly between the users’ devices. If the internet’s down, Briar can sync via Bluetooth or Wi-Fi, keeping the information flowing in a crisis. If the internet’s up, Briar can sync via the Tor network, protecting users and their relationships from surveillance.

I am incredibly excited about this project. Please test and use the beta. The direct APK is linked from the manual, but here it is: https://briarproject.org/beta/briar.apk

Hi everyone,

I'm pleased to announce the first public beta release of Briar for Android. Briar is a messaging app designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate. You can download it from Google Play:

https://play.google.com/store/apps/details?id=org.briarproject.briar.beta

If you prefer not to use Google Play, the manual has instructions for downloading the app from our website:

https://briarproject.org/manual

This release includes private messaging, forums, blogs and RSS import. We'd love to hear your feedback on these features, as well as any others you'd like to see. Please feel free to send your feedback to contact@briarproject.org, or anonymously via the app.

The beta will expire on 21 October. When it expires, your contacts and messages will be lost. The expiry period is designed to limit the impact of any security issues and allow us to make incompatible changes before the 1.0 release.

I hope you enjoy testing Briar!

Cheers,
Michael

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
briar-announce mailing list
briar-announce at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/briar-announce

Tor onion service config fails due to apparmor

Thanks for the help, Will.

After installing Tor on a new host and configuring an onion service, Tor fails due to AppArmor.

Hosts:

Xenial server
Zesty server

Tor versions:

0.3.0.9
0.3.1.4-alpha

Errors:

/var/log/kern.log |grep tor

Jul 20 19:25:58 zesty kernel: [   50.173406] audit: type=1400 audit(1500578758.127:16): apparmor="DENIED" operation="capable" profile="system_tor" pid=2148 comm="tor" capability=2  capname="dac_read_search"

/var/log/syslog |grep tor

Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.111 [notice] Tor 0.3.1.4-alpha (git-c3fe257c709bb814) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.112 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.113 [notice] This version is not a stable Tor release. Expect more bugs than usual.
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.114 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.114 [notice] Read configuration file "/etc/tor/torrc".
Jul 20 19:26:00 zesty tor[2190]: Configuration was valid
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.223 [notice] Tor 0.3.1.4-alpha (git-c3fe257c709bb814) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.224 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.225 [notice] This version is not a stable Tor release. Expect more bugs than usual.
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.225 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.226 [notice] Read configuration file "/etc/tor/torrc".
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.233 [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.234 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.235 [err] Reading config failed--see warnings above.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Unit entered failed state.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Failed with result 'exit-code'.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Start request repeated too quickly.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Unit entered failed state.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Failed with result 'exit-code'.

Solution

sudo vim /etc/apparmor.d/abstractions/tor

add this line to capabilities:

capability dac_read_search,

reload:

sudo /etc/init.d/apparmor reload
sudo service tor restart

Secure Messenger Scorecard (May 2017)

This is a draft.

I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.

I’ve created an editable Google Doc for further input and development.

Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.

version one

version two

version three

New Democracy Now! Onion site

g6klvb3bfx3zuivo.onion

Updated onion address: 2017-March-12

Previous work here. The rest of this post is for technical individuals.

I recently moved to a new DN! host mainly because my first one ran out of storage. I apologize to those who have not been able to access the last few episodes due to the old host filling up. This post goes into detail how I set up the new Onion site, then how I transfered all ~30GB of existing DN! files from the old host to the new host exclusively over Onion service via rsync.

Some major improvements include Democracy Now’s third-party services all support TLS now, meaning that I’m finally pulling the media via authenticated and confidential (exluding metadata) transport. My updated shell script is below, too.

Please note that not all traffic is torified on the new host, the DN! files are still getting pulled via port 443, outbound DNS via port 53, and outbound NTP via port 123.

New Ubuntu 16.04 Xenial host setup

Enable the firewall disabling all inbound traffic:

sudo ufw enable

Edit sources list to remove the default HTTP repositories with Wikimedia’s HTTPS repositories for transport authentication and confidentiality, and add Tor Project’s HTTP repository:

sudo vim /etc/apt/sources.list

deb https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb http://deb.torproject.org/torproject.org xenial main

Add the Tor Project’s signing key:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Update, upgrade, then install the necessary Tor apps:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install tor apt-transport-tor deb.torproject.org-keyring -y

Edit torrc to create the new Onion site address:

sudo vim /etc/tor/torrc

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 80 127.0.0.1:80

Restart the Tor service:

sudo service tor restart

View the new Onion site address:

sudo cat /var/lib/tor/hidden_service/hostname

gnt3qwmxads3yytg.onion

Edit sources list again so that the repositories will only be accessed via Onion service:

sudo vim /etc/apt/sources.list

deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb tor+http://deb.torproject.org/torproject.org xenial main

Update and upgrade again, and install Open-SSH, all via Onion service:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install openssh-server

Configure the SSH server to only accept connections via Onion service. Also harden the security a little bit:

sudo vim /etc/ssh/sshd_config

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
AllowUsers user
Port 22
ListenAddress 127.0.0.1:22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 30
ServerKeyBits 4096
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes

Install Apache via Onion service, disable status, and enable headers:

sudo apt-get install apache2 -y && sudo a2dismod status && sudo a2enmod headers

Configure the index view of the Apache landing page:

sudo vim /etc/apache2/mods-available/autoindex.conf

IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 SuppressDescription SuppressIcon SuppressLastModified SuppressRules
IndexOrderDefault Descending Name

Harden Apache’s security configuration:

sudo vim /etc/apache2/conf-available/security.conf

Directory /
AllowOverride None
Require all denied
/Directory

Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies: "master-only"
Header always set Cache-Control: "private, no-cache, no-store, must-revalidate"
Header always set Pragma: "no-cache"
Header always set Expires: "-1"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-Frame-Options: "sameorigin"
Header always set Content-Security-Policy: "default-src 'self'"
ServerTokens Prod
ServerSignature Off
TraceEnable Off

Configure Apache to only work via Onion service:

sudo vim /etc/apache2/sites-available/000-default.conf

VirtualHost 127.0.0.1:80
ServerName gnt3qwmxads3yytg.onion
ServerAdmin gnt3qwmxads3yytg@yawnbox.com
DocumentRoot /var/www/html/dn/
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
/VirtualHost

Restart Apache:

sudo service apache2 restart

Make the DN! directory:

sudo mkdir /var/www/html/dn/

Create the shell script to download the various DN! files:

sudo vim dn-now.sh

#!/bin/bash
cd /var/www/html/dn/
daystamp=$(date +%Y-%m%d)
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://publish.dvlabs.com/democracynow/360/dn$daystamp.mp4
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://traffic.libsyn.com/democracynow/dn$daystamp-1.mp3
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://ewheel.democracynow.org/dn$daystamp.mp4.torrent
chown -R www-data:www-data /var/www/html/dn/*

Edit cron to check for new files every 15 minutes:

sudo crontab -e

*/15 * * * * bash /home/user/dn-now.sh

Old Host

Configure SSH client to be torified:

sudo vim /etc/ssh/ssh_config

Host *
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
CheckHostIP no

Rsync all files from the old host (ssh client) to the new host (ssh server):

sudo rsync -v /var/www/html/dn/* user@gnt3qwmxads3yytg.onion:/var/www/html/dn/

Cheers!