diff options
Diffstat (limited to 'USINGTORK')
-rw-r--r-- | USINGTORK | 313 |
1 files changed, 313 insertions, 0 deletions
diff --git a/USINGTORK b/USINGTORK new file mode 100644 index 0000000..1568b94 --- /dev/null +++ b/USINGTORK @@ -0,0 +1,313 @@ +Here are some miscellaneous notes on using Tor and TorK: + + +What do I need to know about Tor/TorK? + +First of all some don'ts: + * Don't use Tor/TorK for plaintext traffic such as POP3 (downloading emails) +or telnet. By doing so you are sending out username/password combinations that +some people harvest, e.g. http://tor.unixgu.ru. + * Don't mix 'anonymous' and 'non-anonymous' traffic in Tor. For example, +don't do some anonymous browsing and then log into hotmail during the same +'anonymous' Tor session. Why? Anyone listening on the tor network might put +two and two together and identify you. Better to keep Tor for 'anonymous' +tasks only. +Now some do's: + * Do run a Tor server if you can. Choose one of the server options TorK +provides. A 'Relay' server is an easy and hassle-free way to contribute to the +network. An 'Exit' server is the only one that involves putting your name to +other people's traffic. + * Do behave responsibly when using Tor. Try not to sink to the level of your +own government! + +Finally: +Tor is developed and maintained by the people at http://tor.eff.org. They are +professionals. They're mostly from MIT. They know what they're doing. TorK is +developed and maintained by a hobbyist. From Ireland. In his spare time. +So: TorK probably has lots of faults the developer is not aware of or hasn't +fixed yet. If you spot them, let the poor sod know by clicking on Help -> +'Report Bug'. + +What is 'Paranoid Mode'? +In TorK, you can switch between 'Paranoid' and 'Not-So-Paranoid' mode by +clicking on the icon of the toggling penguin-ghost. When in 'Paranoid Mode' +TorK/Tor will try to use a new identity for every new connection you make. +This helps mitigate the problem where you mix 'anonymous' and 'non-anonymous' +traffic in Tor. For example, if you do some anonymous browsing and then log +into hotmail during the same 'anonymous' Tor session anyone listening on the +tor network might put two and two together and identify you. Using different +identities for each connection will help reduce this problem. However, +'Paranoid Mode' is slow and you are probably better off just not mixing +'anonymous' and 'non-anonymous' activity in the first place. + +Where is the paranoid button located? +Under the first tab ("Anonymize"), in the first section ("Welcome...", next to +the big onion icon), you will see the toggling ghost-penguin button followed +by a URL-like clickable link (mentioning the "paranoid mode"). +Click on the icon itself to toggle between the two modes. Clicking the +URL-like clickable link next to it has another result, indeed. This was fixed +in the CVS (added the icon to the menu and toolbar). +Why can't Konqueror access the Internet through Tor? +Konqueror works just fine when I setup its proxies manually (from kcontrol). +Then I open Tork and it no longer works. It doesn't matter how I toggle Tork's +Konqueror button. Then I have to manually restore Konqueror's proxies (in +kcontrol), and Konqueror starts working again. That is, until I restart Tork, +when all this happens again. + + +Tor/TorK say my Tor server isn't reachable. What should I do? +To make your Tor server visible to the world, there are a number of things you +need to make sure are set up correctly. + +Step One +Make sure your firewall is allowing traffic to Tor's server ports. These are +the commands I added to my own firewall script (the host my instance of Tor is +running on is 192.168.1.2): + # Allow Tor to go through + iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT + iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT + +If you are wondering, 'Where's my firewall script?', then you should probably +create one. This is mine, for what it's worth (and that's not much): + #!/bin/bash + + #Load modules + /sbin/modprobe ip_conntrack_ftp + /sbin/modprobe ip_conntrack_irc + + #Flush old + iptables -F + iptables -t nat -F + iptables -t mangle -F + + # Set policies + iptables -P FORWARD DROP + iptables -P OUTPUT ACCEPT + iptables -P INPUT DROP + + # Allow loopback + iptables -A INPUT -i lo -j ACCEPT + + + # Allow Tor to go through + iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT + iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT + + + #bittracker portforwarding + BTPORTS="7682 6881 6882 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899" + for pt in $BTPORTS; do + /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport $pt -j ACCEPT + done + + iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP + iptables -N Flood-Scan + iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan + iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN + iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: " + iptables -A Flood-Scan -j DROP + iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP + iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT + iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT + iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT + iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT + iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j +ACCEPT + + + Save this to something like /etc/fwscript. Then do the following to the +file: + chmod +x /etc/fwscript + +To have the firewall set up every time you turn on your Linux box, add it to +the local equivalent of your /etc/rc.d/rc.local file. If you don't know what +that is then I'm afraid you're going to have to find out yourself. + + + + Step Two +If you have a broadband connection you may need to configure your router to +allow access to your Tor service. In most cases this means something like what +I had to do with my own Zyxel prestige router. The instructions that follow +are specific to my router but you should be able to do something similar with +your own: + + + robert@darkstar ~> telnet 192.168.1.1 + Trying 192.168.1.1... + Connected to 192.168.1.1. + Escape character is '^]'. + + Password: + +Then I got this screen: + Copyright (c) 1994 - 2003 ZyXEL Communications Corp. + + Prestige 623R-T1 Main Menu + + Getting Started Advanced Management + 1. General Setup 21. Filter Set Configuration + 3. LAN Setup 22. SNMP Configuration + 4. Internet Access Setup 23. System Password + 24. System Maintenance + Advanced Applications 25. IP Routing Policy Setup + 11. Remote Node Setup 26. Schedule Setup + 12. Static Routing Setup + 15. NAT Setup + 99. Exit + + + + + + + + Enter Menu Selection Number: 15 + +I selected 'NAT Setup'. + + + + + Menu 15 - NAT Setup + + 1. Address Mapping Sets + 2. NAT Server Sets + + + + + + + + + + + + + + + + Enter Menu Selection Number:2 + +I selected 'NAT Server Sets'. + + + Menu 15.2 - NAT Server Sets + + 1. Server Set 1 (Used for SUA Only) + 2. Server Set 2 + 3. Server Set 3 + 4. Server Set 4 + 5. Server Set 5 + 6. Server Set 6 + 7. Server Set 7 + 8. Server Set 8 + 9. Server Set 9 + 10. Server Set 10 + + + + + + + + Enter Set Number to Edit: 1 + +I selected the first one. + + + Menu 15.2 - NAT Server Setup + + + + Rule Start Port No. End Port No. IP Address + --------------------------------------------------- + 1. Default Default 0.0.0.0 + 2. 0 0 0.0.0.0 + 3. 9031 9031 192.168.1.2 + 4. 9001 9001 192.168.1.2 + 5. 0 0 0.0.0.0 + 6. 0 0 0.0.0.0 + 7. 0 0 0.0.0.0 + 8. 0 0 0.0.0.0 + 9. 0 0 0.0.0.0 + 10. 0 0 0.0.0.0 + 11. 0 0 0.0.0.0 + 12. 0 0 0.0.0.0 + + Press ENTER to Confirm or ESC to Cancel: + + + As you might guess the address of my pc is 192.168.1.2 and I'm running my Tor +ORPort on 9001 and my Tor DirPort on 9031.You're probably doing the same. +That's it. Save your changes and exit the telnet session with the router. + + Step Three +Your Tor server should now be reachable - unless you (or your distro) have +done something exotic with your hosts.allow and hosts.deny files. Try starting +your Tor server again from TorK and see what happens. If you are still +experiencing problems try the Tor FAQ Entry for more possibilities. +How do I use TorK to anonymize applications? +The 'Anonymize' tab allows you to launch 'anonymized' instances of various +applications with a single click. +How can I be sure it's working? +In the miniview, you should see the sites you are connecting to in their 'raw' +form. For example, if you launched an 'Anonymous SSH session' and have typed +the following in konsole: + ssh [email protected] + +You should see 'my.shell.net' in the miniview and not my.shell.net's IP +address. If you see an IP address, that means your system has bypassed Tor to +get the IP address for my.shell.net. This is a problem if you think someone +might be using your domain name lookups to track your internet activity. If +you are having this problem, you should delete all instance of libtsocks.so on +your system and re-install TorK, that should ensure the correct library is +being called to route all traffic through Tor. +How is it meant to work? +TorK uses two helper applications: 1. 'torify', a shell script installed with +Tor; and 2. 'tsocks' a utility bundled and installed with TorK that ensures +the application goes through Tor anonymously. +OK, how does it really work? +TorK launches the following command: + torify name-of-your-app-here. + +The torify script calls a script called tsocks. This loads the libtsocks.so +library dynamically linked to the application at runtime. The libtsocks.so +library intercepts all of the application's TCP/IP calls and routes them +through Tor, i.e. uses Tor as a SOCKS proxy. +This tsocks, it's the one available at http://tsocks.sf.net right? +No, it's a version of that one patched to intercept domain name resolutions as +well as all other traffic. See this entry in the Tor FAQ to understand why +this is desirable. + + +Security/Anonymity FAQs + Is Tor more secure than ordinary internet use? +No. In some ways it's less secure (though this is just an opinion). +Let me explain: The Tor network contains known eavesdroppers. These +eavesdroppers are servers on the network that act as exit nodes (points in the +Tor network where your traffic pops back out onto the internet proper). If you +use plaintext authentication (e.g. type a name/password into a website that is +not using a secure connection) and are using an eavesdropper as your exit +node, that exit node can capture your username/password. +But isn't there a risk of this happening in the ordinary internet anyway? +Yes, of course there is. However, you do not know (for a fact) that there are +computers listening to your ordinary internet connection - but you do know +(now) that there are servers on the Tor network listening to traffic. And they +could listen to yours if you do not behave securely. Put simply: Tor has a +specific layer of exposure that is easily accessible to anyone who is +interested in it. That is not true of non-Tor traffic. +This is not a widely accepted opinion, to paraphrase Nigel Tufnell 'it's a +fine line between paranoid and stupid', so for more info see: + +Tor Eavesdropping FAQ +http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1 + + Where are all the other Security/Anonymity answers? +I'll leave that to the experts: + +http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ
\ No newline at end of file |