How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin

[BitcoinFX]

How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin

With the release of Bitcoin Core version 0.12.0

- https://bitcointalk.org/index.php?topic=1374377.0

We see the following developments for using Bitcoin with Tor:

Automatically use Tor hidden services
-------------------------------------

Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket
API, to create and destroy 'ephemeral' hidden services programmatically.
Bitcoin Core has been updated to make use of this.

This means that if Tor is running (and proper authorization is available),
Bitcoin Core automatically creates a hidden service to listen on, without
manual configuration. Bitcoin Core will also use Tor automatically to connect
to other .onion nodes if the control socket can be successfully opened. This
will positively affect the number of available .onion nodes and their usage.

This new feature is enabled by default if Bitcoin Core is listening, and
a connection to Tor can be made. It can be configured with the `-listenonion`,
`-torcontrol` and `-torpassword` settings. To show verbose debugging
information, pass `-debug=tor`.


A good guide for how-to easily set-up Tor on Linux (Ubuntu) for use with Bitcoin seemed somewhat lacking, so here goes:

(Part 1) - Install Tor with ARM Controller.

Assuming that you already have SSH access to your server:

Code:

sudo apt-get update

Code:

sudo apt-get dist-upgrade

Check that you have the following packages installed and/or install them:

Code:

sudo apt-get install nano screen ca-certificates openssl ntp ntpdate

Check your time server offset:

Code:

ntpdate -q ntp.ubuntu.com

Reboot here, if necessary.


OK. Let's add the Tor official package repository to our sources list:

Reference: https://www.torproject.org/docs/debian.html#ubuntu

Code:

echo 'deb http://deb.torproject.org/torproject.org trusty main' | sudo tee -a /etc/apt/sources.list.d/torproject.list

Import the key:

Code:

gpg --keyserver keyserver.ubuntu.com --recv 886DDD89

or use: gpg --keyserver keys.gnupg.net --recv 886DDD89

Now export the key:

Code:

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Refresh our sources again and we should now see http:// deb. torproject. org being hit a bunch of times.

Code:

sudo apt-get update

Install Tor:

Code:

sudo apt-get install tor

Now Stop Tor, as we need to configure it properly:

Code:

sudo service tor stop

The Tor Project provides a package to keep the signing key current, which is a good thing, so let's install it:

Code:

sudo apt-get install deb.torproject.org-keyring

Install Tor GeoIP data base (might have already installed it):

Code:

sudo apt-get install tor-geoipdb

Install Tor ARM controller:

Code:

sudo apt-get install tor-arm apparmor-utils

Done.


Next we need to configure how Tor will run. We do this by editing our torrc file.

Code:

sudo nano /etc/tor/torrc

The most important lines in the torrc to add or uncomment (removing the #) for basic CLIENT only (i.e. non-bridge, non-relay, non-exit) Bitcoin operation through Tor are:

ClientOnly 1

SOCKSPort 9050

SOCKSPolicy accept 127.0.0.1/8

Log notice file /var/log/tor/notices.log

ControlPort 9051

HiddenServiceStatistics 0

ORPort 9001

LongLivedPorts 8333

ExitPolicy reject *:*

DisableDebuggerAttachment 0

See: https://www.torproject.org/docs/tor-manual.html

- The above torrc config. connects us to the Tor network, as CLIENT only and ensures the SOCKS Port 9050 is accessible from our localhost (127.0.0.1:9050) for Bitcoin to connect through. N.B. This is also considered an optimal config. for hosting your own Bitcoin addnode=.onion Tor 'ephemeral' hidden_service.

Navigate the torrc screen using your keyboard's arrow keys. When done, Save the torrc config. with:

ctrl + x

Now we are ready to start Tor and the ARM controller using a separate screen session (which is very convenient when using a VPS).

Start (restart) Tor:

Code:

sudo service tor restart

Create a new screen session called tor:

Code:

screen -S tor

Now start ARM within the new 'tor' screen session:

Code:

sudo -u debian-tor arm

N.B. if 'sudo' won't run, then just use only > arm

Success! Now Tor and ARM are running. You can navigate the ARM 'tabs' using the arrow keys on your keyboard.

To exit ARM's screen session (although keep it running when you exit the VPS or continue to work in another screen) press:

ctrl + A + D

To re-enter the running screen:

Code:

screen -r tor

N.B. Use this command and not ' screen -S tor ' to check that Tor / ARM are running when you next login to your VPS.
You only need to use ' screen -S tor ' if you restarted the VPS or shut down the screen session.

You can also use ARM to shut down Tor (closing ARM by pressing q q) , first using the menu tab m in ARM or simply just use:

Code:

sudo service tor stop

N.B. Some VPS servers do not allow using the 'sudo' command as user, so simply omit any reference to 'sudo' in any line above if you encounter this issue.


OK. Part 2 of this guide will look to cover:

- Setting up and running bitcoind on your VPS

- Running a 'dual stack' bitcoind i.e. on clearnet and though Tor.

- Using 'ephemeral' hidden services as addnode=.onion's


If this guide was useful for you please consider some 'tips / donations' at http://StartOR.org - Cheers!
  

[1714095132]

1714095132

[1714095132]

1714095132

[1714095132]

1714095132

[1714095132]

1714095132

[1714095132]

1714095132

[BitcoinFX]

Part 2

- Setting up and running bitcoind on your VPS

- Running a 'dual stack' bitcoind i.e. on clearnet and though Tor.

- Using 'ephemeral' hidden services as addnode=.onion's

Available soon.

[BitcoinFX]

Additional set-up / confg. and package (security) options - also presented for community discussion.

haveged

Set-up 'entropy' for your cloud servers using haveged - algorithm (HArdware Volatile Entropy Gathering and Expansion) ?!?

Code:

sudo apt-get install haveged

Code:

sudo nano /etc/default/haveged

Check for:

DAEMON_ARGS="-w 1024"

OK

Check for start-up at boot:

Code:

update-rc.d haveged defaults

System start/stop links for /etc/init.d/haveged already exist.

- https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged

- https://security.stackexchange.com/questions/34523/is-it-appropriate-to-use-haveged-as-a-source-of-entropy-on-virtual-machines

...

Socks and DNS

SOCKS / DNS 'leaks' with Tor can still remain prevalent:

- https://www.torproject.org/docs/faq.html.en#SocksAndDNS

- https://www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks

Using SafeSocks 1 in our torrc won't / can't allow Bitcoin connectivity. So, without using any additional tools, how can we make this 'safer' ?

Additional torrc settings:

TorDNS

"The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:"

Code:

sudo nano /etc/tor/torrc

DNSPort 9053
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

"This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered..."

Using TorDNS for all DNS queries.

"It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in /etc/tor/torrc to show: "

DNSPort 53

"Alternatively, you can use a local caching DNS server, such as dnsmasq or pdnsd, which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up dnsmasq for this purpose.

Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq.

Modify its configuration file so that it contains: "

Code:

sudo nano /etc/dnsmasq.conf

no-resolv
server=127.0.0.1#9053
listen-address=127.0.0.1

"These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit /etc/resolv.conf so that your system will query only the dnsmasq server. "

Code:

sudo nano /etc/resolv.conf

nameserver 127.0.0.1

"Start the dnsmasq daemon.

Finally if you use dhcpd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file: "

Code:

sudo nano /etc/dhcpcd.conf

nohook resolv.conf

"If you already have an nohook line, just add resolv.conf separated with a comma. "

Quoted source: https://wiki.archlinux.org/index.php/Tor

...

Tor torrc hidden_service options to consider for our addnode=.onion's

Source: https://www.torproject.org/docs/tor-manual.html

CLIENT OPTIONS:

CloseHSClientCircuitsImmediatelyOnTimeout 0|1

   " If 1, Tor will close unfinished hidden service client circuits which have not moved closer to connecting to their destination hidden service when their internal state has not changed for the duration of the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destination hidden services. In either case, another set of introduction and rendezvous circuits for the same destination hidden service will be launched. (Default: 0) "

CloseHSServiceRendCircuitsImmediatelyOnTimeout 0|1

   " If 1, Tor will close unfinished hidden-service-side rendezvous circuits after the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destinations. In either case, another rendezvous circuit for the same destination client will be launched. (Default: 0) "

HIDDEN SERVICE OPTIONS:

HiddenServiceMaxStreams N

  " The maximum number of simultaneous streams (connections) per rendezvous circuit. (Setting this to 0 will allow an unlimited number of simultanous streams.) (Default: 0) "

HiddenServiceMaxStreamsCloseCircuit 0|1

   " If set to 1, then exceeding HiddenServiceMaxStreams will cause the offending rendezvous circuit to be torn down, as opposed to stream creation requests that exceed the limit being silently ignored. (Default: 0) "

HiddenServiceNumIntroductionPoints NUM

   " Number of introduction points the hidden service will have. You can’t have more than 10. (Default: 3) "

...
  

[BitcoinFX]

Optimized sysctl.conf - gbit interface.

Sources and references:

- https://www.torservers.net/wiki/setup/server + ( lots of other useful info. )

- https://www.mail-archive.com/or-talk@freehaven.net/msg14159.html

Code:

sudo nano /etc/sysctl.conf

# used on high bandwidth nodes (gbit interface)

# disabling forwarding first as this will
# reset some other values back to default (!)
net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
#net.ipv4.tcp_synack_retries = 2
#net.ipv4.tcp_syn_retries = 2
    
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0

kernel.sysrq = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

# optimizations
net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 65536 33554432  
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_fin_timeout = 4
vm.min_free_kbytes = 65536
net.ipv4.netfilter.ip_conntrack_max = 196608
net.netfilter.nf_conntrack_tcp_timeout_established = 7200
net.netfilter.nf_conntrack_checksum = 0
net.netfilter.nf_conntrack_max = 196608
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 15
net.nf_conntrack_max = 196608
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.ip_local_port_range = 1025 65530
net.core.somaxconn = 20480
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_timestamps = 0

 
reboot / restart

[BitcoinFX]

Set-up Fail2ban - an intrusion prevention framework.

Reference: https://help.ubuntu.com/community/Fail2ban

Install:

Code:

sudo apt-get install fail2ban

Configuration:

To configure fail2ban, make a 'local' copy of the jail.conf file in /etc/fail2ban

Code:

cd /etc/fail2ban

Code:

sudo cp jail.conf jail.local

Now edit the file:

Code:

sudo nano jail.local

Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3

Add your VPS IP address, gateway and DNS hosts to ignoreip =

You can find this information from;

sudo nano /etc/resolv.conf

and/or

sudo nano /etc/network/interfaces

N.B. It's best to check that info. before you install / set-up Fail2ban.

bantime  =

86400 for 24 hours

172800 for 48 hours

604800 for 7 days etc.

Scroll down and also edit:

[ssh]

enabled  = true
port  = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[dropbear]

enabled = true
port  = ssh
filter = dropbear
logpath  = /var/log/auth.log
maxretry = 3

[ssh-ddos]

enabled  = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 3

N.B. If you run a web server etc., on the same server then you might want to review additional protection settings available in Fail2ban.

Save using;

ctrl + x

Code:

cd

Once done, restart fail2ban to put those settings into effect;

Code:

sudo /etc/init.d/fail2ban restart

Check / list iptables for Fail2ban blocks / activity with;

Code:

sudo iptables -L

~ Now be astonished at the number of brute-force blocks from automated (or otherwise) hacking attempts against your VPS instance !!!

  

[BitcoinFX]

iptables (strict) Linux VPS firewall rules:

Reference: https://help.ubuntu.com/community/IptablesHowTo

Code:

sudo iptables -A INPUT -i lo -j ACCEPT

// Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0

Code:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

// "We can allow established sessions to receive traffic:"

or

// "If the line above doesn't work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort: "

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

N.B. It's probably best to avoid using conntrack if your running a Tor .exit node.

Code:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

// Accept incoming port 22 for SSH VPS login. Change this to your own non-standard SSH port if required.

Code:

sudo iptables -A INPUT -p tcp --dport 43 -j ACCEPT

// Accept port 43 for WHOIS protocol / Fail2ban look-ups.

Code:

sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Code:

sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT

// Accept port 53 for DNS.

Code:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

// Optionally. Accept port 80 for your http web server or Tor DirPort (alternate port 9030).

Code:

sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT

// Accept port 123 UDP for Network Time Protocol (NTP), used for time synchronization.

Code:

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

// Optionally. Accept port 443 for your https web server or Tor ORPort (alternate port 9001).

Code:

sudo iptables -A INPUT -p tcp --dport 8332 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

// Restrict Bitcoin RPC port 8332 to only accept localhost source and destination traffic.

Code:

sudo iptables -A INPUT -p tcp --dport 8333 -j ACCEPT

// Accept port 8333 for Bitcoin incoming connections.

Code:

sudo iptables -A INPUT -p tcp --dport 9050 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

// Restrict Tor SOCKS Port 9050 to only accept localhost source and destination traffic.

Code:

sudo iptables -A INPUT -p tcp --dport 9051 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

// Restrict Tor Control Port 9051 to only accept localhost source and destination traffic.

N.B. Consider other ports you might need to accept here i.e. for TorDNS, VNC server access, git clone, key servers etc.,

// Allow several ICMP types
- http://www.oregontechsupport.com/articles/icmp.txt

Code:

sudo iptables -A INPUT -p icmp -m icmp --icmp-type host-unreachable -j ACCEPT

Code:

sudo iptables -A INPUT -p icmp -m icmp --icmp-type port-unreachable -j ACCEPT

Code:

sudo iptables -A INPUT -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT

Code:

sudo iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT

Code:

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT

Code:

sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

// Drop non-established TCP

Code:

sudo iptables -A INPUT -p tcp --syn -j DROP

// Optionally. Drop everything else !!!

Code:

sudo iptables -A INPUT -j DROP

N.B. Some Tor node operators (pool operators?) might prefer to avoid conntrack and still allow all UDP traffic etc.,

// Allow outgoing connections

Code:

sudo iptables -A OUTPUT -o lo -j ACCEPT

...

Now save your iptables firewall config. with:

Code:

sh -c "iptables-save -c > /etc/iptables.rules"

// sudo sh (if required)

Reload your (saved) iptables firewall rules after a server restart with;

Code:

sh -c "iptables-restore -c < /etc/iptables.rules"

// sudo sh (if required)

// and it's probably best to restart Fail2ban (if we have installed it, see above post)

Code:

sudo /etc/init.d/fail2ban restart

// list your iptables with:

Code:

sudo iptables -L

N.B. No firewall solution is perfect, although this example iptables firewall + Fail2ban is a fairly solid solution, which is certainly more effective than having no firewall in place whatsoever.
  

[jonnybravo0311]

Have you been able to get tor working with 0.12?  I can get it working fine if I use HashedControlPassword and pass the -torpassword parameter (or put it in bitcoin.conf).  However, I cannot get it to properly authenticate using CookieAuthentication (which is enabled by default when you install tor).  I keep getting errors thrown at me about not being able to read the cookie file.

Of course, it makes sense since the cookie file (again default installation of tor) gets dropped into /var/run/tor/control.authcookie and file permissions are 640 with owner/group as debian-tor.  The bitcoin core process can't read from there.

I mean I could change the defaults file to be my bitcoin user, change the location of the cookie file to one the core process can read, etc... or I could just turn off authentication altogether, which should work just fine

Thanks for the inputs