tengel/papyri
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
papyri/md/debian_tor_relay.md
tengel e8fb7b288e initial import
2024-03-20 11:40:22 -05:00

195 lines
6.5 KiB
Markdown
Raw Permalink Blame History

# Debian Tor Relay
## Contents
- [Server Installation](#server-installation)
- [Server Hardening](#server-hardening)
- [Tor Installation](#tor-installation)
- [Tor Setup](#tor-setup)
- [Tor Backup](#tor-backup)
- [Final Checks](#final-checks)
- [References](#references)
## Server Installation
Spin up a basic **Debian 8 (Jessie) 64bit** cloud instance; the use of inexpensive cloud instances from Digital Ocean are perfect for this type of project. Only basic networking with minimal disk and memory is required, these pre-prepared cloud installations of Debian 8 are ready to go with only a minor bit of work.
> **Be Careful of Costs** - Cloud providers typically charge for time spent running (uptime) _plus_ bandwidth charges. Research costs carefully and ensure the _RelayBandwidthRate_ is configured to meet your budget. Shop around cloud providers to get the best bang for your buck - low uptime and low bandwidth charges are the key factors for a tor node.
The below instructions have been tested on a Digital Ocean standard Debian 8 instance.
## Server Hardening
**1.** Install a few basic packages to make life a little nicer; typically the cloud instances are stripped down and need a few things added, both for security and ease of use. Adjust as needed, at a minimum ensure the below are in place:
```
apt-get update
apt-get install sysstat unattended-upgrades iptables-persistent fail2ban chrony vim-nox iftop sudo -y
```
**2.** Enable _sysstat_ for ongoing statistics capture of your instance (use `sar` to view):
```
sed -i.bak -e 's|^ENABLED=".*"|ENABLED="true"|g' /etc/default/sysstat
```
**3.** Enable _unattended-upgrades_ to ensure that all Security updates are applied:
```
cat << 'EOF' > /etc/apt/apt.conf.d/02periodic
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
EOF
```
**4.** Enable the basic _iptables_ rules to allow only ports 22, 80 and 443:
```
cat << 'EOF' > /etc/iptables/rules.v4
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
cat << 'EOF' > /etc/iptables/rules.v6
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
EOF
```
**5.** Configure fail2ban to keep an eye on the SSH port for brute force attacks:
```
cat << 'EOF' > /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
backend = auto
destemail = root@localhost
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
EOF
```
**6.** Finally, ensure all the services are enabled and apply all outstanding updates; reboot as needed for a new kernel. If you don't reboot here, you'll need to `service` _foo_ `restart` each one individually:
```
systemctl disable remote-fs.target
systemctl enable sysstat unattended-upgrades iptables-persistent fail2ban chrony
apt-get upgrade -y
reboot
```
## Tor Installation
Add the upstream repository to the server, install the GPG key and tor itself. The `tor-arm` package provides an interesting console interface for the daemon. (run `arm` later on to see it)
```
echo "deb http://deb.torproject.org/torproject.org jessie main" > \
/etc/apt/sources.list.d/tor.list
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt-get update
apt-get install deb.torproject.org-keyring -y
apt-get install tor tor-arm -y
systemctl stop tor
```
## Tor Setup
Edit the `/etc/tor/torrc` configuration to set up the basic parameters; this config file's comments are parsed by the `arm` utility, so don't be tempted to just replace it with the below - hand edit is recommended to preserve the comments.
> **1 TB/month** is roughly **400 KB/s** sustained bandwidth
We will configure bandwidth to 300 KB/s normal and 350 KB/s burst to keep our cloud bandwidth charges in check, and ports 443 and 80 - maximum compatibility for persons in locations with strict ACLs on their network traffic. Choose **Nickname** wisely, it's how others will refer to your node in public. Be careful with ContactInfo and protect yourself from spammers\!
```
# egrep -v "^(#|$)" /etc/tor/torrc
RunAsDaemon 1
ORPort 443
Address <server IP address>
Nickname <your relay nickname>
RelayBandwidthRate 300 KB
RelayBandwidthBurst 350 KB
ContactInfo <your contact info>
DirPort 80
DirPortFrontPage /etc/tor/index.html
ExitPolicy reject *:*
```
Copy over the HTML man page to display on port 80 (see _DirPortFrontPage_ above), ensure it's set to start on reboot and get it running:
```
cp /usr/share/doc/tor/tor.html /etc/tor/index.html
systemctl enable tor
systemctl restart tor
```
## Tor Backup
Preserve a copy of your Tor node information; this is needed if you have to rebuild or move the node and want to retain the same history in the community:
```
cp /var/lib/tor/fingerprint /root/tor.fingerprint
cp /var/lib/tor/keys/secret_id_key /root/tor.secret_id_key
```
Download those two files from the cloud instance and put them in a safe place in your normal backups. The first has one line (nickname and 40-hex char ID), the second is a RSA key.
## Final Checks
Wait an hour or two, then use one (or both) of the below links to search for your relay's nickname:
- <https://atlas.torproject.org/>
- <https://globe.torproject.org/>
Once it's showing up as expected and you're happy with the results, submit your relay to the EFF Tor Challenge and sign up via Tor Weather to keep an eye on it:
- <https://www.eff.org/torchallenge/>
- <https://weather.torproject.org/subscribe/>
## References
- <https://www.torproject.org/docs/tor-relay-debian.html.en>
Reference in a new issue View git blame Copy permalink