Monday, November 28, 2016

Setting Up and Running a TOR Exit Node [CentOS 7/Ubuntu 16.04]

Introduction


Running a TOR exit node is a large responsibility and requires the for knowledge this project will require maintenance as time goes on. It is a must that the operating systems be maintained and kept up to date and a strict amount of security. You are taking a huge responsibility on yourself and have the security and safe surfing of all tor users on your shoulders.

No Joke, Here is some required reading.
Tips for running an exit node
Running a TOR exit node for fun and emails
Legal FAQ


Did you read it?
No?, Go Read it!!!!

Prerequisites:

  • Subdomain of a FQDN
  • Abuse email
  • Dedicated server
  • Desire for a free and open internet
While each of these are not required, each of them play an important part in long term supporting a TOR exit node. A subdomain of a fully qualified domain name will support rotating IPs and an easy to remember name during configuration.

An abuse email is for other people to contact you in the event they see discontenting traffic from your server. I don't like the idea that there are people out there using the anonymity of the server do something malicious, but its a fact that needs to be thought out and deterred as much as possible.

Personally I don't think it is fair to use a shared server to perform something so bandwidth intensive as TOR can be. Each person on the hypervisor is allocated the same amount of resources, so if one user consumes all the bandwith, other paying customers will be, rightfully, upset. For this reason, I prefer dedicated hardware.

Finally, a desire for a free and open internet is what is being allowed by running a TOR server. I run it because I see Internet Services Providers providing subpar or unfair buisness practices. Whether it be blocking access to certain sites, such as social media, or logging all internet access and providing it at will to any goverment agency that asks. I find these acts unlawful and will work toward a safe and neutral internet that is available for anyone to use, regardless of location or intention.

Firewall


First, I recommend setting up a firewall and an Intrusion Protection System. In my opinion, the best "set and forget" way to do this would be with is csfInstallation is quite forward but requires a bit of configuration to get the settings correct. The goal in mind is to only open port that are absolutely needed and restrict everything else from entering. Since this server performing no packet forwarding, I leave the outbound wide open. Here is my section from /etc/csf/csf.conf which allows tor ports and ssh inbound. Why these specific ports are open will be explained later.

# This option should be set to "1" in all other circumstances
LF_SPI = "1"

# Allow incoming TCP ports
TCP_IN = "22,80,443,9030,9050"

# Allow outgoing TCP ports
TCP_OUT = "1:65535"

# Allow incoming UDP ports
UDP_IN = "53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list 
UDP_OUT = "1:65535"

# Allow incoming PING
ICMP_IN = "1"

# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to "0"
ICMP_IN_RATE = "1/s"

# Allow outgoing PING
ICMP_OUT = "1"

# Set the per IP address outgoing ICMP packet rate (hits per second allowed),
# e.g. "1/s"
# To disable rate limiting set to "0"
ICMP_OUT_RATE = "0"

 -------

 Installation of TOR:


CentOS:

yum update -y
yum install epel-release -y
yum install tor -y  

Ubuntu:
Do not use the packages in Ubuntu's universe. In the past they have not reliably been updated. That means you could be missing stability and security fixes.
Raspbian is not Debian. These packages will be confusingly broken for Raspbian users, since Raspbian called their architecture armhf but Debian already has an armhf. See this post for details.

Follow the official documentation for installation steps.

------

SELinux


For a secure server, SELinux is a must. To configure TOR to use be able to use port 80 (Directory Services) and Port 443 for Exit traffic.

First, is SELinux enabled?

sestatus | grep status
SELinux status:                 enabled

 we first must allow TOR to use those ports.

semanage port -l | grep tor
tor_port_t                     tcp      6969, 9001, 9030, 9050, 9051, 9150

Now let's add port 80 and 443 to grant TOR access to those ports.

semanage port -m -t tor_port_t -p tcp 80
semanage port -m -t tor_port_t -p tcp 443

The above command may take up to a minute to complete, and then return no output. It is normal.

-----

Configuration


The tor config file is located at /etc/tor/torrc

Here is my config file with none of the default comments, but instead my comments on each.

#Default configurations for arm and tor
ControlSocket /run/tor/control
ControlSocketsGroupWritable 1
CookieAuthentication 1
CookieAuthFile /run/tor/control.authcookie
CookieAuthFileGroupReadable 1

# I don't allow sock connections internally or externally.
SOCKSPolicy reject *

# Log Files are important, I just log notices. Look at the help for further debug levels
Log notice file /var/log/tor/notices.log

#This is the port ARM will connect to for an admin view of your tor service
ControlPort 9051

#The port TOR uses to advertise for incoming connections
ORPort 443

# The IP address or full DNS name for incoming connections to your relay or exit node
Address torfr.arlionprojects.com

# A handle for your relay, so people don't have to refer to it by key.
Nickname arlionprojects

#Administrative contact for those with complaints may be able to contact you at. This will go a long way to keeping your tor exit node alive and running.
ContactInfo abuse@arlionprojects.com

#Web page that greats a user on port 80 informing they have stumbled on a tor exit node.
## You can get this page by
### wget https://svn.torproject.org/svn/tor/branches/hidserv-perf/contrib/tor-exit-notice.html -O /etc/tor/tor-exit-notice.html
DirPortFrontPage /etc/tor/tor-exit-notice.html

ExitPolicy reject 0.0.0.0/8
ExitPolicy reject 169.254.0.0/16
ExitPolicy reject 127.0.0.0/8
ExitPolicy reject 192.168.0.0/16
ExitPolicy reject 10.0.0.0/8
ExitPolicy reject 172.16.0.0/12
ExitPolicy accept *:20-21     # FTP - File Transfer Protocol (data / control)
ExitPolicy accept *:43        # WHOIS - who is query and response protocol
ExitPolicy accept *:53        # DNS - Domain Name System
ExitPolicy accept *:79        # finger - Name/Finger user information protocol
ExitPolicy accept *:80-81     # HTTP - Hypertext Transfer Protocol / web browsing
ExitPolicy accept *:88        # kerberos - computer network authentication protocol
ExitPolicy accept *:110       # POP3 - Post Office Protocol v3 (receive email only) 
ExitPolicy accept *:143       # IMAP - Internet Message Access Protocol, management of email messages (receive email only)
ExitPolicy accept *:220       # IMAP3 - Internet Message Access Protocol v3 (receive email only)
ExitPolicy accept *:389       # LDAP - Lightweight Directory Access Protocol
ExitPolicy accept *:443       # HTTPS - Hypertext Transfer Protocol over TLS/SSL / secure web browsing
ExitPolicy accept *:464       # kpasswd - Kerberos Change/Set password
ExitPolicy accept *:531       # IRC/AIM - AOL Instant Messenger
ExitPolicy accept *:543-544   # Kerberos - klogin, Kerberos login / kshell, Kerberos Remote shell
ExitPolicy accept *:554       # RTSP - Real Time Streaming Protocol
ExitPolicy accept *:636       # LDAP - Lightweight Directory Access Protocol over TLS/SSL
ExitPolicy accept *:706       # SILC - Secure Internet Live Conferencing
ExitPolicy accept *:749       # kerberos - protocol administration
ExitPolicy accept *:873       # rsync - file synchronization protocol
ExitPolicy accept *:902-904   # VMware - Virtual Infrastructure Client / Console / Server
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-990   # FTP over TLS/SSL - File Transfer Protocol (data / control)
ExitPolicy accept *:991       # Netnews Administration System
ExitPolicy accept *:992       # Telnet protocol over TLS/SSL
ExitPolicy accept *:993       # IMAP over SSL - Internet Message Access Protocol over TLS/SSL (receive email only)
ExitPolicy accept *:995       # POP3 over SSL - Post Office Protocol v3 (receive email only)
ExitPolicy accept *:1194      # OpenVPN - Virtual Private Network
ExitPolicy accept *:1220      # QT Server Admin - QuickTime Streaming Server administration
ExitPolicy accept *:1293      # PKT-KRB-IPSec - Internet Protocol Security
ExitPolicy accept *:1500      # VLSI License Manager - Firewall (NT4-based) Remote Management / Server
ExitPolicy accept *:1533      # Sametime - IM—Virtual Places Chat MS SQL Server
ExitPolicy accept *:1677      # GroupWise - clients in client/server access mode
ExitPolicy accept *:1723      # PPTP - Point-to-Point Tunneling Protocol
ExitPolicy accept *:1755      # RTSP - Media Services (MMS, ms-streaming)
ExitPolicy accept *:1863      # MSNP - MS Notification Protocol, MS Messenger service / Instant Messaging clients
ExitPolicy accept *:2083      # Secure Radius Service (radsec) and CPanel default SSL
ExitPolicy accept *:2086-2087 # GNUnet, ELI - Web Host Manager default and Web Host Manager default SSL
ExitPolicy accept *:2095-2096 # NBX - CPanel default web mail and CPanel default SSL web mail
ExitPolicy accept *:2102-2104 # Zephyr - Project Athena Notification Service server / connection / host manager
ExitPolicy accept *:3690      # SVN - Subversion version control system
ExitPolicy accept *:4321      # RWHOIS - Referral Who is Protocol
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC - Yahoo! Messenger
ExitPolicy accept *:5190      # ICQ and AOL Instant Messenger
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL - Extensible Messaging and Presence Protocol client connection
ExitPolicy accept *:5228      # Android Market - Google Play, Android Cloud, Google Cloud Messaging / HP Virtual Room Service
ExitPolicy accept *:8008      # HTTP alternate / Server administration default
ExitPolicy accept *:8074      # Gadu-Gadu - instant messaging client
ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP - Control Panel
ExitPolicy accept *:8232-8233 # Zcash
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443      # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE - HyperVM, Freenet, MAMP Server
ExitPolicy accept *:9418      # git - Git pack transfer service
ExitPolicy accept *:10000     # Network Data Management Protocol - Webmin, Web-based Unix/Linux system administration tool
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294     # Google Voice TCP - Voice and Video connections
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy accept *:50002     # Electrum Bitcoin SSL
ExitPolicy accept *:64738     # Mumble - voice over IP
ExitPolicy reject *:*
ExitRelay 1


Now let's grab a tor notice, informing any unsuspecting users that this server is a tor exit node.
wget https://svn.torproject.org/svn/tor/branches/hidserv-perf/contrib/tor-exit-notice.html -O /etc/tor/tor-exit-notice.html

READ READ READ!
Why I choose such a restrictive exit policy.

-----

ARM  

ARM is a graphical utility that provides a top level view of the current activity and utilization of the server. ARM connects to the Control Port set in /etc/tor/torrc, in our case it is 9051.


ARM Download

CentOS
#Import Author's GPG key
gpg --keyserver pgp.mit.edu --recv-keys 0x9ABBEEC6

#Confirm the signature to the downloaded RPM
gpg --verify arm-1.4.5.0-1.rpm.asc arm-1.4.5.0-1.rpm

#Install the Package
yum install arm-1.4.5.0-1.rpm -y

Ubuntu:
apt-get install tor-arm -y

To use arm, simple type arm into bash. No further configuration is required.

-----

First Days

Everyones experiences differs, howevor my server picked up activity right away. Obatianing the "Running", "V2DIR" and "Valid" flags immediatly, and two days later gaining "Fast" and "Exit" flags. More on TOR flags and what they mean.

Data Usage Stats:

         day         rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
      25/11/16     13.99 GiB |   13.82 GiB |   27.81 GiB |    2.70 Mbit/s
      26/11/16      2.08 GiB |    1.99 GiB |    4.06 GiB |  394.67 kbit/s
      27/11/16      3.72 GiB |    3.59 GiB |    7.31 GiB |  709.87 kbit/s
      28/11/16     24.87 GiB |   24.75 GiB |   49.62 GiB |    7.09 Mbit/s


So traffic is slowly picking up on the server. Currently I have only encountered one problem, and that is my IRC bot was banned immediately from IRC due to being IP banned for running a Exit Node. No other issues to report at this time.

-----
Update: 12/7

 eth0  /  daily

         day         rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
     11/25/2016        0 KiB |       0 KiB |       0 KiB |    0.00 kbit/s
     11/28/2016     7.36 GiB |    7.35 GiB |   14.72 GiB |    1.43 Mbit/s
     11/29/2016    97.87 GiB |   97.03 GiB |  194.90 GiB |   18.92 Mbit/s
     11/30/2016   136.14 GiB |  134.35 GiB |  270.50 GiB |   26.26 Mbit/s
     12/01/2016   144.20 GiB |  141.73 GiB |  285.93 GiB |   27.76 Mbit/s
     12/02/2016   211.83 GiB |  208.05 GiB |  419.89 GiB |   40.77 Mbit/s
     12/03/2016   265.49 GiB |  260.72 GiB |  526.21 GiB |   51.09 Mbit/s
     12/04/2016   367.22 GiB |  360.82 GiB |  728.04 GiB |   70.69 Mbit/s
     12/05/2016   470.92 GiB |  462.24 GiB |  933.16 GiB |   90.60 Mbit/s
     12/06/2016   491.49 GiB |  479.99 GiB |  971.48 GiB |   94.32 Mbit/s
     12/07/2016   234.37 GiB |  228.67 GiB |  463.05 GiB |   75.62 Mbit/s
     ------------------------+-------------+-------------+---------------
     estimated    394.27 GiB |  384.68 GiB |  778.95 GiB |


Due to bandwith cap being hit at almost 100% utilization, I have put a bandwidth cap into the torrc config file.

RelayBandwidthRate 75 MB
RelayBandwidthBurst 80 MB


No comments:

Post a Comment