Please note: this document is outdated! Especially the use of the squid web cahing proxy should be avoided with tor!
Some tipps about configuring your machine to use the TOR routing system
Prevent packet headers from sending a lot of unwanted informations to the internet. Anonymise your connection with a squid-privoxy-tor combination. Bounce your packets through an anonimous and encrypted chain of servers.
Anonimity is never 100% secure, but here we work out a good solution for being anonimous for someone sniffing us from the internet. That means: neither "what we do" nor "where we go" gets anonymised, just "where do we come from"; somebody controlling what we do from the internet cannot see who we are (but it doesn't work if somebody is controlling our internal network, ex. through wireless, or our connection from our network until the first tor router, ex. controlling through our internet provider).
So if somebody in Turkey is sniffing my emails, he/she will not be able to understand where do I write from, but will still be able to intercept what I do write on the mail; if somebody got the authorisation from my internet-provider to sniff all my traffic on the internet, than the anonimisation we use here will be unuseful.
Another very interesting toping using the tor solution is the possibility of setting up HIDDEN SERVICES: we can run an http/https, irc, whatever we want server on the internet, and clients connecting to it DO NOT contact the server itself, but CLIENT AND SERVER MEET IN THE MIDDLE OF AN ONION ROUTER CHAIN - that means that nobody will know where are we comeing from, and also that nobody will understand where the service we are using is hosted from!!!
here a little explanation on how the combination works for html pages:
Browser <> squid host:3128 <> privoxy host:8118<> tor host:9050 <> tor onion router chains <>webserver
TOR (The Onion Routing, http://tor.eff.org) is a sistem that uses an entry point, than communications are bounced around a distributed network of servers going finally out through an exit point. Each "onion router" nows only the server before and the server after him in the chain, and communicates with an AES128 key to them.
Debian packages have been uploaded to the set of official unstable Debian packages. If you are running stable or testing Debian, you must first add these lines to /etc/apt/sources.list:
deb http://mirror.noreply.org/pub/tor stable main deb-src http://mirror.noreply.org/pub/tor stable main
To install the packages, issue the following commands:
root@yourcomputer:# apt-get update root@yourcomputer:# apt-get install tor privoxy
After installing and starting Privoxy, privoxy works standard at port 8118. The privoxy configuration can also be managed through a webinterface, at the address http://p.p/To be able to use privoxy with TOR, we have to edit the /etc/privoxy/config file:
root@yourcomputer:# vim /etc/privoxy/config
interesting configuration variables are:
5.2. forward-socks4 and forward-socks4a forward-socks4a / 127.0.0.1:9050 .
This enables forwarding all requests to TOR - don't forget the dot (.) at the end!
We can comment "logfile" and "jarfile" to disable logs (to reduce information left on our own computer)
2.5. logfile # logfile logfile 2.6. jarfile # jarfile jarfile
Squid is a normal http-caching program, a http proxy. What we really like at squid, to use in conjunction with tor, is it's configurable feature to remove http headers, that means informations send to the internet by your web browser.
A problem useing squid, is that it cannot require DNS remotely (what privoxy CAN do). Useing squid we could leak DNS information, a serious thread to our anonimity!!!
IF you want to install and configure squid:
root@yourcomputer:# apt-get install squid
Squid's client mode configuration: suitable for a workstation with caching proxy in stand alone mode (Privoxy on localhost:8118): squid requires some configuration values to be modified in order to function as a caching proxy.
root@yourcomputer:# vim /etc/squid.conf
Search for the following key values and set them accordingly:
http_port 3128 http_access allow localhost cache_peer localhost parent 8118 7 no-query default # the following forces the use of privoxy/tor in all cases: never_direct allow all visible_hostname localhost # If transparent gateway mode is used, the following must also be set! # (actually it is not a good idea to use a transparent gateway!!!) # (insert your subnets as required): acl home_network src 192.168.1.0/24 http_access allow home_network httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on # The following settings are helpful in removing some sensitive # HTTP headers which could divulge unwanted information: header_access From deny all header_access Referer deny all header_access Server deny all header_access User-Agent deny all header_access WWW-Authenticate deny all header_access Link deny all # NOTE: some sites may require a User-Agent or Referer to # function correctly. # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: header_access Allow allow all header_access Authorization allow all header_access WWW-Authenticate allow all header_access Proxy-Authorization allow all header_access Proxy-Authenticate allow all header_access Cache-Control allow all header_access Content-Encoding allow all header_access Content-Length allow all header_access Content-Type allow all header_access Date allow all header_access Expires allow all header_access Host allow all header_access If-Modified-Since allow all header_access Last-Modified allow all header_access Location allow all header_access Pragma allow all header_access Accept allow all header_access Accept-Charset allow all header_access Accept-Encoding allow all header_access Accept-Language allow all header_access Content-Language allow all header_access Mime-Version allow all header_access Retry-After allow all header_access Title allow all header_access Connection allow all header_access Proxy-Connection allow all header_access All deny all # Default: # none
Be sure to run '~/sbin/squid -z' to create the cache directories before starting the Squid proxy with '~/bin/RunCache'.
Using your browser configuration utility update the HTTP/HTTPS proxy settings to point to localhost at port 3128. At this point all of your web traffic will be going through the Squid proxy, into Privoxy for protocol cleaning, and finally into Tor for delivery of requests and responses. The reduced latency of Squid serving cached pages should be readily visible as you browse various sites.
squid without cachingIf you decide to use squid only in conjunction with TOR, it could be a good idea to disable the chaching funcion.You can use the no_cache access list to make Squid never cache any response:
acl all src 0/0 no_cache deny all cache_dir null /tmp
Note: a null cache_dir does not disable caching, but it does save you from creating a cache structure if you have disabled caching with no_cache.
Note: the directory (e.g., /tmp) must exist so that squid can chdir to it, unless you also use the coredump_dir option. To configure Squid for the ``null'' storage module, specify it on the configure command line:"./configure --enable-storeio=ufs,null ..."
cache_access_log none cache_store_log none cache_log /dev/null
Note : It is a bad idea to disable the cache.log because this file contains many important status and debugging messages. However, if you really want to, you can. Warning : If /dev/null is specified to any of the above log files, logfile rotate must also be set to 0 or else risk Squid rotating away /dev/null making it a plain log file.
Now it's time to check if our tor ir running the way it should be...
First of all, configure your browser to use a proxy (a very practical solution for Firefox/Iceweasel is the "Torbutton" add-on)
In your browser's configuration, add, as proxy, "localhost" and, as port, "8118" (if you only use privoxy), or "3148" (if you use squid before privoxy).
To check if everything is working ok, use "etherreal if you know how to, or, more simply, load this practical webpage (copyrighted) that shows you all the information leaked by your browser: http://leader.ru/secure/who.html
REMEMBER: if you use squid, your DNS request could still leak informations, if they don't go through tor (ex. with SOCKS4a). you can still use "tor-resolve" (included in the tor package) to eliminate this problem...
You can run a lot of different applications (ssh, irc, fetchmail, gaim, ...) through the TOR onion routing. Follow the instructions on this webpage: http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO
Interesting is the possibility to run your SSH connection trough TOR. In order to do this, first of all we need to install the "socat" package"
root@yourcomputer:# apt-get install socat
You will then need to set up SSH accordingly, enabling TOR for internet connections, and disabling it foru your Local Network connections.
Edit the /etc/ssh/ssh_config file:
root@yourcomputer:# vim /etc/ssh/ssh_config
Remember to adjust this settings for your own needs, adding the "proxycommand none" setting for all the machines, or subnetworks, that you still want to reach without TOR!!!
Add the following lines to your ssh_config file:
Host 192.168.*.*
ProxyCommand none
Host *.lan
ProxyCommand none
Host *
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050
A very interesting and useful function of the TOR/privoxy combination, is the possibility to use or set up "hidden services", services running on machines running inside the TOR onion routing, and contactable only within the onionr routingsystem. This helps us, as an example, in running a censorship-resistant service (http, ssh, irc, ...). Remember, anyway, that anonimity is NEVER 100% guaranteed!. The best place to start from, is the hidden wiki. Try to contact it clicking on this link: http://6sxoyfb3h2nvok2d.onion/tor/
If you cannot contact the hidden wiki, it could be because the TOR networ is sometimes VERY slow. So, just click on "try it again", and you will be able to connect...
If you are interested in setting up a Hidden service, the configuration is very easy and is located in the /etc/tor/torrc file itself. Mind the logs on your computer! They could be a prove of interesting information. And, if you want to set up an hidden HTTP server, consider avoiding apache, and setting up some lightweight HTTP server instead, because it is quite difficult to set up apache not to leak any important information.
Please refer to http://tor.eff.org/docs/tor-hidden-service.html.en to set up an hidden service.
----------------------------- last update: inputs_marmalade 16/5/2007 ### contributions / feedback / questions gpg public key http://ram.squat.net/tech/inputs.marmalade.asc ###