Topic: How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin (Read 3095 times)

Have you been able to get tor working with 0.12?  I can get it working fine if I use HashedControlPassword and pass the -torpassword parameter (or put it in bitcoin.conf).  However, I cannot get it to properly authenticate using CookieAuthentication (which is enabled by default when you install tor).  I keep getting errors thrown at me about not being able to read the cookie file.

Of course, it makes sense since the cookie file (again default installation of tor) gets dropped into /var/run/tor/control.authcookie and file permissions are 640 with owner/group as debian-tor.  The bitcoin core process can't read from there.

I mean I could change the defaults file to be my bitcoin user, change the location of the cookie file to one the core process can read, etc... or I could just turn off authentication altogether, which should work just fine

Thanks for the inputs

iptables (strict) Linux VPS firewall rules:

Reference: https://help.ubuntu.com/community/IptablesHowTo

// Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0


// "We can allow established sessions to receive traffic:"

or

// "If the line above doesn't work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort: "

N.B. It's probably best to avoid using conntrack if your running a Tor .exit node.

// Accept incoming port 22 for SSH VPS login. Change this to your own non-standard SSH port if required.

// Accept port 43 for WHOIS protocol / Fail2ban look-ups.

// Accept port 53 for DNS.

// Optionally. Accept port 80 for your http web server or Tor DirPort (alternate port 9030).

// Accept port 123 UDP for Network Time Protocol (NTP), used for time synchronization.

// Optionally. Accept port 443 for your https web server or Tor ORPort (alternate port 9001).

// Restrict Bitcoin RPC port 8332 to only accept localhost source and destination traffic.

// Accept port 8333 for Bitcoin incoming connections.

// Restrict Tor SOCKS Port 9050 to only accept localhost source and destination traffic.

// Restrict Tor Control Port 9051 to only accept localhost source and destination traffic.

N.B. Consider other ports you might need to accept here i.e. for TorDNS, VNC server access, git clone, key servers etc.,

// Allow several ICMP types
- http://www.oregontechsupport.com/articles/icmp.txt


// Drop non-established TCP

// Optionally. Drop everything else !!!

N.B. Some Tor node operators (pool operators?) might prefer to avoid conntrack and still allow all UDP traffic etc.,

// Allow outgoing connections

...

Now save your iptables firewall config. with:

// sudo sh (if required)

Reload your (saved) iptables firewall rules after a server restart with;

// sudo sh (if required)

// and it's probably best to restart Fail2ban (if we have installed it, see above post)


// list your iptables with:


N.B. No firewall solution is perfect, although this example iptables firewall + Fail2ban is a fairly solid solution, which is certainly more effective than having no firewall in place whatsoever.
  

Set-up Fail2ban - an intrusion prevention framework.

Reference: https://help.ubuntu.com/community/Fail2ban

Install:


Configuration:

To configure fail2ban, make a 'local' copy of the jail.conf file in /etc/fail2ban



Now edit the file:


Set the IPs you want fail2ban to ignore, the ban time (in seconds) and maximum number of user attempts to your liking:



Add your VPS IP address, gateway and DNS hosts to ignoreip =

You can find this information from;


and/or


N.B. It's best to check that info. before you install / set-up Fail2ban.

bantime  =

86400 for 24 hours

172800 for 48 hours

604800 for 7 days etc.

Scroll down and also edit:


N.B. If you run a web server etc., on the same server then you might want to review additional protection settings available in Fail2ban.

Save using;



Once done, restart fail2ban to put those settings into effect;


Check / list iptables for Fail2ban blocks / activity with;


~ Now be astonished at the number of brute-force blocks from automated (or otherwise) hacking attempts against your VPS instance !!!

  

Optimized sysctl.conf - gbit interface.

Sources and references:

- https://www.torservers.net/wiki/setup/server + ( lots of other useful info. )

- https://www.mail-archive.com/[email protected]/msg14159.html


 
reboot / restart

Additional set-up / confg. and package (security) options - also presented for community discussion.

haveged

Set-up 'entropy' for your cloud servers using haveged - algorithm (HArdware Volatile Entropy Gathering and Expansion) ?!?



Check for:


OK

Check for start-up at boot:




- https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged

- https://security.stackexchange.com/questions/34523/is-it-appropriate-to-use-haveged-as-a-source-of-entropy-on-virtual-machines

...

Socks and DNS

SOCKS / DNS 'leaks' with Tor can still remain prevalent:

- https://www.torproject.org/docs/faq.html.en#SocksAndDNS

- https://www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks

Using SafeSocks 1 in our torrc won't / can't allow Bitcoin connectivity. So, without using any additional tools, how can we make this 'safer' ?

Additional torrc settings:

TorDNS

"The Tor 0.2.x series provides a built-in DNS forwarder. To enable it add the following lines to the Tor configuration file and restart the daemon:"



"This will allow Tor to accept DNS requests (listening on port 9053 in this example) like a regular DNS server, and resolve the domain via the Tor network. A downside is that it is only able to resolve DNS queries for A-records; MX and NS queries are never answered..."

Using TorDNS for all DNS queries.

"It is possible to configure your system, if so desired, to use TorDNS for all queries your system makes, regardless of whether or not you eventually use Tor to connect to your final destination. To do this, configure your system to use 127.0.0.1 as its DNS server and edit the 'DNSPort' line in /etc/tor/torrc to show: "


"Alternatively, you can use a local caching DNS server, such as dnsmasq or pdnsd, which will also compensate for TorDNS being a little slower than traditional DNS servers. The following instructions will show how to set up dnsmasq for this purpose.

Change the tor setting to listen for the DNS request in port 9053 and install dnsmasq.

Modify its configuration file so that it contains: "



"These configurations set dnsmasq to listen only for requests from the local computer, and to use TorDNS at its sole upstream provider. It is now neccessary to edit /etc/resolv.conf so that your system will query only the dnsmasq server. "



"Start the dnsmasq daemon.

Finally if you use dhcpd you would need to change its settings to that it does not alter the resolv configuration file. Just add this line in the configuration file: "



"If you already have an nohook line, just add resolv.conf separated with a comma. "

Quoted source: https://wiki.archlinux.org/index.php/Tor

...

Tor torrc hidden_service options to consider for our addnode=.onion's

Source: https://www.torproject.org/docs/tor-manual.html

CLIENT OPTIONS:

CloseHSClientCircuitsImmediatelyOnTimeout 0|1

   " If 1, Tor will close unfinished hidden service client circuits which have not moved closer to connecting to their destination hidden service when their internal state has not changed for the duration of the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destination hidden services. In either case, another set of introduction and rendezvous circuits for the same destination hidden service will be launched. (Default: 0) "

CloseHSServiceRendCircuitsImmediatelyOnTimeout 0|1

   " If 1, Tor will close unfinished hidden-service-side rendezvous circuits after the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destinations. In either case, another rendezvous circuit for the same destination client will be launched. (Default: 0) "

HIDDEN SERVICE OPTIONS:

HiddenServiceMaxStreams N

  " The maximum number of simultaneous streams (connections) per rendezvous circuit. (Setting this to 0 will allow an unlimited number of simultanous streams.) (Default: 0) "

HiddenServiceMaxStreamsCloseCircuit 0|1

   " If set to 1, then exceeding HiddenServiceMaxStreams will cause the offending rendezvous circuit to be torn down, as opposed to stream creation requests that exceed the limit being silently ignored. (Default: 0) "

HiddenServiceNumIntroductionPoints NUM

   " Number of introduction points the hidden service will have. You can’t have more than 10. (Default: 3) "

...
  

Part 2

- Setting up and running bitcoind on your VPS

- Running a 'dual stack' bitcoind i.e. on clearnet and though Tor.

- Using 'ephemeral' hidden services as addnode=.onion's

Available soon.

How-to Guide: Set-up Tor on Linux (Ubuntu) and connect Bitcoin

With the release of Bitcoin Core version 0.12.0

- https://bitcointalksearch.org/topic/bitcoin-core-version-0120-released-1374377

We see the following developments for using Bitcoin with Tor:

Automatically use Tor hidden services
-------------------------------------

Starting with Tor version 0.2.7.1 it is possible, through Tor's control socket
API, to create and destroy 'ephemeral' hidden services programmatically.
Bitcoin Core has been updated to make use of this.

This means that if Tor is running (and proper authorization is available),
Bitcoin Core automatically creates a hidden service to listen on, without
manual configuration. Bitcoin Core will also use Tor automatically to connect
to other .onion nodes if the control socket can be successfully opened. This
will positively affect the number of available .onion nodes and their usage.

This new feature is enabled by default if Bitcoin Core is listening, and
a connection to Tor can be made. It can be configured with the `-listenonion`,
`-torcontrol` and `-torpassword` settings. To show verbose debugging
information, pass `-debug=tor`.


A good guide for how-to easily set-up Tor on Linux (Ubuntu) for use with Bitcoin seemed somewhat lacking, so here goes:

(Part 1) - Install Tor with ARM Controller.

Assuming that you already have SSH access to your server:



Check that you have the following packages installed and/or install them:


Check your time server offset:


Reboot here, if necessary.


OK. Let's add the Tor official package repository to our sources list:

Reference: https://www.torproject.org/docs/debian.html#ubuntu


Import the key:


or use: gpg --keyserver keys.gnupg.net --recv 886DDD89

Now export the key:


Refresh our sources again and we should now see http:// deb. torproject. org being hit a bunch of times.


Install Tor:


Now Stop Tor, as we need to configure it properly:


The Tor Project provides a package to keep the signing key current, which is a good thing, so let's install it:


Install Tor GeoIP data base (might have already installed it):


Install Tor ARM controller:


Done.


Next we need to configure how Tor will run. We do this by editing our torrc file.


The most important lines in the torrc to add or uncomment (removing the #) for basic CLIENT only (i.e. non-bridge, non-relay, non-exit) Bitcoin operation through Tor are:


See: https://www.torproject.org/docs/tor-manual.html

- The above torrc config. connects us to the Tor network, as CLIENT only and ensures the SOCKS Port 9050 is accessible from our localhost (127.0.0.1:9050) for Bitcoin to connect through. N.B. This is also considered an optimal config. for hosting your own Bitcoin addnode=.onion Tor 'ephemeral' hidden_service.

Navigate the torrc screen using your keyboard's arrow keys. When done, Save the torrc config. with:



Now we are ready to start Tor and the ARM controller using a separate screen session (which is very convenient when using a VPS).

Start (restart) Tor:


Create a new screen session called tor:


Now start ARM within the new 'tor' screen session:


N.B. if 'sudo' won't run, then just use only > arm

Success! Now Tor and ARM are running. You can navigate the ARM 'tabs' using the arrow keys on your keyboard.

To exit ARM's screen session (although keep it running when you exit the VPS or continue to work in another screen) press:


To re-enter the running screen:


N.B. Use this command and not ' screen -S tor ' to check that Tor / ARM are running when you next login to your VPS.
You only need to use ' screen -S tor ' if you restarted the VPS or shut down the screen session.

You can also use ARM to shut down Tor (closing ARM by pressing q q) , first using the menu tab m in ARM or simply just use:



N.B. Some VPS servers do not allow using the 'sudo' command as user, so simply omit any reference to 'sudo' in any line above if you encounter this issue.


OK. Part 2 of this guide will look to cover:

- Setting up and running bitcoind on your VPS

- Running a 'dual stack' bitcoind i.e. on clearnet and though Tor.

- Using 'ephemeral' hidden services as addnode=.onion's


If this guide was useful for you please consider some 'tips / donations' at http://StartOR.org - Cheers!