Title: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin Post by: BitcoinFX on February 23, 2016, 09:04:16 PM How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin
With the release of Bitcoin Core version 0.12.0 - https://bitcointalk.org/index.php?topic=1374377.0 We see the following developments for using Bitcoin with Tor: Automatically use Tor hidden services ------------------------------------- Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket API, to create and destroy 'ephemeral' hidden services programmatically. Bitcoin Core has been updated to make use of this. This means that if Tor is running (and proper authorization is available), Bitcoin Core automatically creates a hidden service to listen on, without manual configuration. Bitcoin Core will also use Tor automatically to connect to other .onion nodes if the control socket can be successfully opened. This will positively affect the number of available .onion nodes and their usage. This new feature is enabled by default if Bitcoin Core is listening, and a connection to Tor can be made. It can be configured with the `-listenonion`, `-torcontrol` and `-torpassword` settings. To show verbose debugging information, pass `-debug=tor`. A good guide for how-to easily set-up Tor on Linux (Ubuntu) for use with Bitcoin seemed somewhat lacking, so here goes: (Part 1) - Install Tor with ARM Controller. Assuming that you already have SSH access to your server: Code: sudo apt-get update Code: sudo apt-get dist-upgrade Check that you have the following packages installed and/or install them: Code: sudo apt-get install nano screen ca-certificates openssl ntp ntpdate Check your time server offset: Code: ntpdate -q ntp.ubuntu.com Reboot here, if necessary. OK. Let's add the Tor official package repository to our sources list: Reference: https://www.torproject.org/docs/debian.html#ubuntu Code: echo 'deb http://deb.torproject.org/torproject.org trusty main' | sudo tee -a /etc/apt/sources.list.d/torproject.list Import the key: Code: gpg --keyserver keyserver.ubuntu.com --recv 886DDD89 or use: gpg --keyserver keys.gnupg.net --recv 886DDD89 Now export the key: Code: gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - Refresh our sources again and we should now see http:// deb. torproject. org being hit a bunch of times. Code: sudo apt-get update Install Tor: Code: sudo apt-get install tor Now Stop Tor, as we need to configure it properly: Code: sudo service tor stop The Tor Project provides a package to keep the signing key current, which is a good thing, so let's install it: Code: sudo apt-get install deb.torproject.org-keyring Install Tor GeoIP data base (might have already installed it): Code: sudo apt-get install tor-geoipdb Install Tor ARM controller: Code: sudo apt-get install tor-arm apparmor-utils Done. Next we need to configure how Tor will run. We do this by editing our torrc file. Code: sudo nano /etc/tor/torrc The most important lines in the torrc to add or uncomment (removing the #) for basic CLIENT only (i.e. non-bridge, non-relay, non-exit) Bitcoin operation through Tor are: Quote ClientOnly 1 SOCKSPort 9050 SOCKSPolicy accept 127.0.0.1/8 Log notice file /var/log/tor/notices.log ControlPort 9051 HiddenServiceStatistics 0 ORPort 9001 LongLivedPorts 8333 ExitPolicy reject *:* DisableDebuggerAttachment 0 See: https://www.torproject.org/docs/tor-manual.html - The above torrc config. connects us to the Tor network, as CLIENT only and ensures the SOCKS Port 9050 is accessible from our localhost (127.0.0.1:9050) for Bitcoin to connect through. N.B. This is also considered an optimal config. for hosting your own Bitcoin addnode=.onion Tor 'ephemeral' hidden_service. Navigate the torrc screen using your keyboard's arrow keys. When done, Save the torrc config. with: Quote ctrl + x Now we are ready to start Tor and the ARM controller using a separate screen session (which is very convenient when using a VPS). Start (restart) Tor: Code: sudo service tor restart Create a new screen session called tor: Code: screen -S tor Now start ARM within the new 'tor' screen session: Code: sudo -u debian-tor arm N.B. if 'sudo' won't run, then just use only > arm Success! Now Tor and ARM are running. You can navigate the ARM 'tabs' using the arrow keys on your keyboard. To exit ARM's screen session (although keep it running when you exit the VPS or continue to work in another screen) press: Quote ctrl + A + D To re-enter the running screen: Code: screen -r tor N.B. Use this command and not ' screen -S tor ' to check that Tor / ARM are running when you next login to your VPS. You only need to use ' screen -S tor ' if you restarted the VPS or shut down the screen session. You can also use ARM to shut down Tor (closing ARM by pressing q q) , first using the menu tab m in ARM or simply just use: Code: sudo service tor stop N.B. Some VPS servers do not allow using the 'sudo' command as user, so simply omit any reference to 'sudo' in any line above if you encounter this issue. OK. Part 2 of this guide will look to cover: - Setting up and running bitcoind on your VPS - Running a 'dual stack' bitcoind i.e. on clearnet and though Tor. - Using 'ephemeral' hidden services as addnode=.onion's If this guide was useful for you please consider some 'tips / donations' at http://StartOR.org (http://StartOR.org) - Cheers! Title: Re: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin Post by: BitcoinFX on February 23, 2016, 09:04:48 PM Part 2
- Setting up and running bitcoind on your VPS - Running a 'dual stack' bitcoind i.e. on clearnet and though Tor. - Using 'ephemeral' hidden services as addnode=.onion's Available soon. Title: Re: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin Post by: BitcoinFX on February 24, 2016, 03:26:09 PM Additional set-up / confg. and package (security) options - also presented for community discussion.
haveged Set-up 'entropy' for your cloud servers using haveged - algorithm (HArdware Volatile Entropy Gathering and Expansion) ?!? Code: sudo apt-get install haveged Code: sudo nano /etc/default/haveged Check for: Quote DAEMON_ARGS="-w 1024" OK Check for start-up at boot: Code: update-rc.d haveged defaults Quote System start/stop links for /etc/init.d/haveged already exist. - https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged - https://security.stackexchange.com/questions/34523/is-it-appropriate-to-use-haveged-as-a-source-of-entropy-on-virtual-machines ... Socks and DNS SOCKS / DNS 'leaks' with Tor can still remain prevalent: - https://www.torproject.org/docs/faq.html.en#SocksAndDNS - https://www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks Using SafeSocks 1 in our torrc won't / can't allow Bitcoin connectivity. So, without using any additional tools, how can we make this 'safer' ? Additional torrc settings: TorDNS "The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:" Code: sudo nano /etc/tor/torrc Quote DNSPort 9053 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion "This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered..." Using TorDNS for all DNS queries. "It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in /etc/tor/torrc to show: " Quote DNSPort 53 "Alternatively, you can use a local caching DNS server, such as dnsmasq or pdnsd, which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up dnsmasq for this purpose. Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq. Modify its configuration file so that it contains: " Code: sudo nano /etc/dnsmasq.conf Quote no-resolv server=127.0.0.1#9053 listen-address=127.0.0.1 "These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit /etc/resolv.conf so that your system will query only the dnsmasq server. " Code: sudo nano /etc/resolv.conf Quote nameserver 127.0.0.1 "Start the dnsmasq daemon. Finally if you use dhcpd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file: " Code: sudo nano /etc/dhcpcd.conf Quote nohook resolv.conf "If you already have an nohook line, just add resolv.conf separated with a comma. " Quoted source: https://wiki.archlinux.org/index.php/Tor ... Tor torrc hidden_service options to consider for our addnode=.onion's Source: https://www.torproject.org/docs/tor-manual.html CLIENT OPTIONS: CloseHSClientCircuitsImmediatelyOnTimeout 0|1 " If 1, Tor will close unfinished hidden service client circuits which have not moved closer to connecting to their destination hidden service when their internal state has not changed for the duration of the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destination hidden services. In either case, another set of introduction and rendezvous circuits for the same destination hidden service will be launched. (Default: 0) " CloseHSServiceRendCircuitsImmediatelyOnTimeout 0|1 " If 1, Tor will close unfinished hidden-service-side rendezvous circuits after the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destinations. In either case, another rendezvous circuit for the same destination client will be launched. (Default: 0) " HIDDEN SERVICE OPTIONS: HiddenServiceMaxStreams N " The maximum number of simultaneous streams (connections) per rendezvous circuit. (Setting this to 0 will allow an unlimited number of simultanous streams.) (Default: 0) " HiddenServiceMaxStreamsCloseCircuit 0|1 " If set to 1, then exceeding HiddenServiceMaxStreams will cause the offending rendezvous circuit to be torn down, as opposed to stream creation requests that exceed the limit being silently ignored. (Default: 0) " HiddenServiceNumIntroductionPoints NUM " Number of introduction points the hidden service will have. You can’t have more than 10. (Default: 3) " ... Title: Re: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin Post by: BitcoinFX on February 28, 2016, 11:50:25 AM Optimized sysctl.conf - gbit interface.
Sources and references: - https://www.torservers.net/wiki/setup/server + ( lots of other useful info. ) - https://www.mail-archive.com/or-talk@freehaven.net/msg14159.html Code: sudo nano /etc/sysctl.conf Quote # used on high bandwidth nodes (gbit interface) # disabling forwarding first as this will # reset some other values back to default (!) net.ipv4.ip_forward = 0 net.ipv4.tcp_syncookies = 1 #net.ipv4.tcp_synack_retries = 2 #net.ipv4.tcp_syn_retries = 2 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 kernel.sysrq = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 # optimizations net.core.rmem_max = 33554432 net.core.wmem_max = 33554432 net.ipv4.tcp_rmem = 4096 87380 33554432 net.ipv4.tcp_wmem = 4096 65536 33554432 net.core.netdev_max_backlog = 262144 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_max_orphans = 262144 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_fin_timeout = 4 vm.min_free_kbytes = 65536 net.ipv4.netfilter.ip_conntrack_max = 196608 net.netfilter.nf_conntrack_tcp_timeout_established = 7200 net.netfilter.nf_conntrack_checksum = 0 net.netfilter.nf_conntrack_max = 196608 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 15 net.nf_conntrack_max = 196608 net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.ip_local_port_range = 1025 65530 net.core.somaxconn = 20480 net.ipv4.tcp_max_tw_buckets = 2000000 net.ipv4.tcp_timestamps = 0 reboot / restart Title: Re: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin Post by: BitcoinFX on February 28, 2016, 12:19:21 PM Set-up Fail2ban - an intrusion prevention framework.
Reference: https://help.ubuntu.com/community/Fail2ban Install: Code: sudo apt-get install fail2ban Configuration: To configure fail2ban, make a 'local' copy of the jail.conf file in /etc/fail2ban Code: cd /etc/fail2ban Code: sudo cp jail.conf jail.local Now edit the file: Code: sudo nano jail.local Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking: Quote [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 maxretry = 3 Add your VPS IP address, gateway and DNS hosts to ignoreip = You can find this information from; Quote sudo nano /etc/resolv.conf and/or Quote sudo nano /etc/network/interfaces N.B. It's best to check that info. before you install / set-up Fail2ban. bantime = 86400 for 24 hours 172800 for 48 hours 604800 for 7 days etc. Scroll down and also edit: Quote [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [dropbear] enabled = true port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 3 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 3 N.B. If you run a web server etc., on the same server then you might want to review additional protection settings available in Fail2ban. Save using; Quote ctrl + x Code: cd Once done, restart fail2ban to put those settings into effect; Code: sudo /etc/init.d/fail2ban restart Check / list iptables for Fail2ban blocks / activity with; Code: sudo iptables -L ~ Now be astonished at the number of brute-force blocks from automated (or otherwise) hacking attempts against your VPS instance !!! Title: Re: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin Post by: BitcoinFX on February 28, 2016, 02:09:27 PM iptables (strict) Linux VPS firewall rules:
Reference: https://help.ubuntu.com/community/IptablesHowTo Code: sudo iptables -A INPUT -i lo -j ACCEPT Code: sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT or // "If the line above doesn't work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort: " Quote sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT N.B. It's probably best to avoid using conntrack if your running a Tor .exit node. Code: sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 43 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT Code: sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT Code: sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 8332 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 8333 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 9050 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT Code: sudo iptables -A INPUT -p tcp --dport 9051 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT N.B. Consider other ports you might need to accept here i.e. for TorDNS, VNC server access, git clone, key servers etc., // Allow several ICMP types - http://www.oregontechsupport.com/articles/icmp.txt Code: sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT Code: sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT Code: sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT Code: sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT Code: sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT Code: sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP // Drop non-established TCP Code: sudo iptables -A INPUT -p tcp --syn -j DROP // Optionally. Drop everything else !!! Code: sudo iptables -A INPUT -j DROP N.B. Some Tor node operators (pool operators?) might prefer to avoid conntrack and still allow all UDP traffic etc., // Allow outgoing connections Code: sudo iptables -A OUTPUT -o lo -j ACCEPT ... Now save your iptables firewall config. with: Code: sh -c "iptables-save -c > /etc/iptables.rules" Reload your (saved) iptables firewall rules after a server restart with; Code: sh -c "iptables-restore -c < /etc/iptables.rules" // and it's probably best to restart Fail2ban (if we have installed it, see above post) Code: sudo /etc/init.d/fail2ban restart // list your iptables with: Code: sudo iptables -L N.B. No firewall solution is perfect, although this example iptables firewall + Fail2ban is a fairly solid solution, which is certainly more effective than having no firewall in place whatsoever. Title: Re: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin Post by: jonnybravo0311 on February 29, 2016, 09:04:21 PM Have you been able to get tor working with 0.12? I can get it working fine if I use HashedControlPassword and pass the -torpassword parameter (or put it in bitcoin.conf). However, I cannot get it to properly authenticate using CookieAuthentication (which is enabled by default when you install tor). I keep getting errors thrown at me about not being able to read the cookie file.
Of course, it makes sense since the cookie file (again default installation of tor) gets dropped into /var/run/tor/control.authcookie and file permissions are 640 with owner/group as debian-tor. The bitcoin core process can't read from there. I mean I could change the defaults file to be my bitcoin user, change the location of the cookie file to one the core process can read, etc... or I could just turn off authentication altogether, which should work just fine :P Thanks for the inputs :) |