summaryrefslogtreecommitdiffstats
path: root/USINGTORK
diff options
context:
space:
mode:
Diffstat (limited to 'USINGTORK')
-rw-r--r--USINGTORK313
1 files changed, 313 insertions, 0 deletions
diff --git a/USINGTORK b/USINGTORK
new file mode 100644
index 0000000..1568b94
--- /dev/null
+++ b/USINGTORK
@@ -0,0 +1,313 @@
+Here are some miscellaneous notes on using Tor and TorK:
+
+
+What do I need to know about Tor/TorK?
+
+First of all some don'ts:
+ * Don't use Tor/TorK for plaintext traffic such as POP3 (downloading emails)
+or telnet. By doing so you are sending out username/password combinations that
+some people harvest, e.g. http://tor.unixgu.ru.
+ * Don't mix 'anonymous' and 'non-anonymous' traffic in Tor. For example,
+don't do some anonymous browsing and then log into hotmail during the same
+'anonymous' Tor session. Why? Anyone listening on the tor network might put
+two and two together and identify you. Better to keep Tor for 'anonymous'
+tasks only.
+Now some do's:
+ * Do run a Tor server if you can. Choose one of the server options TorK
+provides. A 'Relay' server is an easy and hassle-free way to contribute to the
+network. An 'Exit' server is the only one that involves putting your name to
+other people's traffic.
+ * Do behave responsibly when using Tor. Try not to sink to the level of your
+own government!
+
+Finally:
+Tor is developed and maintained by the people at http://tor.eff.org. They are
+professionals. They're mostly from MIT. They know what they're doing. TorK is
+developed and maintained by a hobbyist. From Ireland. In his spare time.
+So: TorK probably has lots of faults the developer is not aware of or hasn't
+fixed yet. If you spot them, let the poor sod know by clicking on Help ->
+'Report Bug'.
+
+What is 'Paranoid Mode'?
+In TorK, you can switch between 'Paranoid' and 'Not-So-Paranoid' mode by
+clicking on the icon of the toggling penguin-ghost. When in 'Paranoid Mode'
+TorK/Tor will try to use a new identity for every new connection you make.
+This helps mitigate the problem where you mix 'anonymous' and 'non-anonymous'
+traffic in Tor. For example, if you do some anonymous browsing and then log
+into hotmail during the same 'anonymous' Tor session anyone listening on the
+tor network might put two and two together and identify you. Using different
+identities for each connection will help reduce this problem. However,
+'Paranoid Mode' is slow and you are probably better off just not mixing
+'anonymous' and 'non-anonymous' activity in the first place.
+
+Where is the paranoid button located?
+Under the first tab ("Anonymize"), in the first section ("Welcome...", next to
+the big onion icon), you will see the toggling ghost-penguin button followed
+by a URL-like clickable link (mentioning the "paranoid mode").
+Click on the icon itself to toggle between the two modes. Clicking the
+URL-like clickable link next to it has another result, indeed. This was fixed
+in the CVS (added the icon to the menu and toolbar).
+Why can't Konqueror access the Internet through Tor?
+Konqueror works just fine when I setup its proxies manually (from kcontrol).
+Then I open Tork and it no longer works. It doesn't matter how I toggle Tork's
+Konqueror button. Then I have to manually restore Konqueror's proxies (in
+kcontrol), and Konqueror starts working again. That is, until I restart Tork,
+when all this happens again.
+
+
+Tor/TorK say my Tor server isn't reachable. What should I do?
+To make your Tor server visible to the world, there are a number of things you
+need to make sure are set up correctly.
+
+Step One
+Make sure your firewall is allowing traffic to Tor's server ports. These are
+the commands I added to my own firewall script (the host my instance of Tor is
+running on is 192.168.1.2):
+ # Allow Tor to go through
+ iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
+ iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
+
+If you are wondering, 'Where's my firewall script?', then you should probably
+create one. This is mine, for what it's worth (and that's not much):
+ #!/bin/bash
+
+ #Load modules
+ /sbin/modprobe ip_conntrack_ftp
+ /sbin/modprobe ip_conntrack_irc
+
+ #Flush old
+ iptables -F
+ iptables -t nat -F
+ iptables -t mangle -F
+
+ # Set policies
+ iptables -P FORWARD DROP
+ iptables -P OUTPUT ACCEPT
+ iptables -P INPUT DROP
+
+ # Allow loopback
+ iptables -A INPUT -i lo -j ACCEPT
+
+
+ # Allow Tor to go through
+ iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
+ iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
+
+
+ #bittracker portforwarding
+ BTPORTS="7682 6881 6882 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
+ for pt in $BTPORTS; do
+ /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport $pt -j ACCEPT
+ done
+
+ iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
+ iptables -N Flood-Scan
+ iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan
+ iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN
+ iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: "
+ iptables -A Flood-Scan -j DROP
+ iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
+ iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+ iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
+ iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT
+ iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
+ iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
+ iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
+ iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
+ iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j
+ACCEPT
+
+
+ Save this to something like /etc/fwscript. Then do the following to the
+file:
+ chmod +x /etc/fwscript
+
+To have the firewall set up every time you turn on your Linux box, add it to
+the local equivalent of your /etc/rc.d/rc.local file. If you don't know what
+that is then I'm afraid you're going to have to find out yourself.
+
+
+
+ Step Two
+If you have a broadband connection you may need to configure your router to
+allow access to your Tor service. In most cases this means something like what
+I had to do with my own Zyxel prestige router. The instructions that follow
+are specific to my router but you should be able to do something similar with
+your own:
+
+
+ robert@darkstar ~> telnet 192.168.1.1
+ Trying 192.168.1.1...
+ Connected to 192.168.1.1.
+ Escape character is '^]'.
+
+ Password:
+
+Then I got this screen:
+ Copyright (c) 1994 - 2003 ZyXEL Communications Corp.
+
+ Prestige 623R-T1 Main Menu
+
+ Getting Started Advanced Management
+ 1. General Setup 21. Filter Set Configuration
+ 3. LAN Setup 22. SNMP Configuration
+ 4. Internet Access Setup 23. System Password
+ 24. System Maintenance
+ Advanced Applications 25. IP Routing Policy Setup
+ 11. Remote Node Setup 26. Schedule Setup
+ 12. Static Routing Setup
+ 15. NAT Setup
+ 99. Exit
+
+
+
+
+
+
+
+ Enter Menu Selection Number: 15
+
+I selected 'NAT Setup'.
+
+
+
+
+ Menu 15 - NAT Setup
+
+ 1. Address Mapping Sets
+ 2. NAT Server Sets
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enter Menu Selection Number:2
+
+I selected 'NAT Server Sets'.
+
+
+ Menu 15.2 - NAT Server Sets
+
+ 1. Server Set 1 (Used for SUA Only)
+ 2. Server Set 2
+ 3. Server Set 3
+ 4. Server Set 4
+ 5. Server Set 5
+ 6. Server Set 6
+ 7. Server Set 7
+ 8. Server Set 8
+ 9. Server Set 9
+ 10. Server Set 10
+
+
+
+
+
+
+
+ Enter Set Number to Edit: 1
+
+I selected the first one.
+
+
+ Menu 15.2 - NAT Server Setup
+
+
+
+ Rule Start Port No. End Port No. IP Address
+ ---------------------------------------------------
+ 1. Default Default 0.0.0.0
+ 2. 0 0 0.0.0.0
+ 3. 9031 9031 192.168.1.2
+ 4. 9001 9001 192.168.1.2
+ 5. 0 0 0.0.0.0
+ 6. 0 0 0.0.0.0
+ 7. 0 0 0.0.0.0
+ 8. 0 0 0.0.0.0
+ 9. 0 0 0.0.0.0
+ 10. 0 0 0.0.0.0
+ 11. 0 0 0.0.0.0
+ 12. 0 0 0.0.0.0
+
+ Press ENTER to Confirm or ESC to Cancel:
+
+
+ As you might guess the address of my pc is 192.168.1.2 and I'm running my Tor
+ORPort on 9001 and my Tor DirPort on 9031.You're probably doing the same.
+That's it. Save your changes and exit the telnet session with the router.
+
+ Step Three
+Your Tor server should now be reachable - unless you (or your distro) have
+done something exotic with your hosts.allow and hosts.deny files. Try starting
+your Tor server again from TorK and see what happens. If you are still
+experiencing problems try the Tor FAQ Entry for more possibilities.
+How do I use TorK to anonymize applications?
+The 'Anonymize' tab allows you to launch 'anonymized' instances of various
+applications with a single click.
+How can I be sure it's working?
+In the miniview, you should see the sites you are connecting to in their 'raw'
+form. For example, if you launched an 'Anonymous SSH session' and have typed
+the following in konsole:
+
+You should see 'my.shell.net' in the miniview and not my.shell.net's IP
+address. If you see an IP address, that means your system has bypassed Tor to
+get the IP address for my.shell.net. This is a problem if you think someone
+might be using your domain name lookups to track your internet activity. If
+you are having this problem, you should delete all instance of libtsocks.so on
+your system and re-install TorK, that should ensure the correct library is
+being called to route all traffic through Tor.
+How is it meant to work?
+TorK uses two helper applications: 1. 'torify', a shell script installed with
+Tor; and 2. 'tsocks' a utility bundled and installed with TorK that ensures
+the application goes through Tor anonymously.
+OK, how does it really work?
+TorK launches the following command:
+ torify name-of-your-app-here.
+
+The torify script calls a script called tsocks. This loads the libtsocks.so
+library dynamically linked to the application at runtime. The libtsocks.so
+library intercepts all of the application's TCP/IP calls and routes them
+through Tor, i.e. uses Tor as a SOCKS proxy.
+This tsocks, it's the one available at http://tsocks.sf.net right?
+No, it's a version of that one patched to intercept domain name resolutions as
+well as all other traffic. See this entry in the Tor FAQ to understand why
+this is desirable.
+
+
+Security/Anonymity FAQs
+ Is Tor more secure than ordinary internet use?
+No. In some ways it's less secure (though this is just an opinion).
+Let me explain: The Tor network contains known eavesdroppers. These
+eavesdroppers are servers on the network that act as exit nodes (points in the
+Tor network where your traffic pops back out onto the internet proper). If you
+use plaintext authentication (e.g. type a name/password into a website that is
+not using a secure connection) and are using an eavesdropper as your exit
+node, that exit node can capture your username/password.
+But isn't there a risk of this happening in the ordinary internet anyway?
+Yes, of course there is. However, you do not know (for a fact) that there are
+computers listening to your ordinary internet connection - but you do know
+(now) that there are servers on the Tor network listening to traffic. And they
+could listen to yours if you do not behave securely. Put simply: Tor has a
+specific layer of exposure that is easily accessible to anyone who is
+interested in it. That is not true of non-Tor traffic.
+This is not a widely accepted opinion, to paraphrase Nigel Tufnell 'it's a
+fine line between paranoid and stupid', so for more info see:
+
+Tor Eavesdropping FAQ
+http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1
+
+ Where are all the other Security/Anonymity answers?
+I'll leave that to the experts:
+
+http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ \ No newline at end of file