TorK – anonymity manager for TDE
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

USINGTORK 12KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313
  1. Here are some miscellaneous notes on using Tor and TorK:
  2. What do I need to know about Tor/TorK?
  3. First of all some don'ts:
  4. * Don't use Tor/TorK for plaintext traffic such as POP3 (downloading emails)
  5. or telnet. By doing so you are sending out username/password combinations that
  6. some people harvest, e.g. http://tor.unixgu.ru.
  7. * Don't mix 'anonymous' and 'non-anonymous' traffic in Tor. For example,
  8. don't do some anonymous browsing and then log into hotmail during the same
  9. 'anonymous' Tor session. Why? Anyone listening on the tor network might put
  10. two and two together and identify you. Better to keep Tor for 'anonymous'
  11. tasks only.
  12. Now some do's:
  13. * Do run a Tor server if you can. Choose one of the server options TorK
  14. provides. A 'Relay' server is an easy and hassle-free way to contribute to the
  15. network. An 'Exit' server is the only one that involves putting your name to
  16. other people's traffic.
  17. * Do behave responsibly when using Tor. Try not to sink to the level of your
  18. own government!
  19. Finally:
  20. Tor is developed and maintained by the people at http://tor.eff.org. They are
  21. professionals. They're mostly from MIT. They know what they're doing. TorK is
  22. developed and maintained by a hobbyist. From Ireland. In his spare time.
  23. So: TorK probably has lots of faults the developer is not aware of or hasn't
  24. fixed yet. If you spot them, let the poor sod know by clicking on Help ->
  25. 'Report Bug'.
  26. What is 'Paranoid Mode'?
  27. In TorK, you can switch between 'Paranoid' and 'Not-So-Paranoid' mode by
  28. clicking on the icon of the toggling penguin-ghost. When in 'Paranoid Mode'
  29. TorK/Tor will try to use a new identity for every new connection you make.
  30. This helps mitigate the problem where you mix 'anonymous' and 'non-anonymous'
  31. traffic in Tor. For example, if you do some anonymous browsing and then log
  32. into hotmail during the same 'anonymous' Tor session anyone listening on the
  33. tor network might put two and two together and identify you. Using different
  34. identities for each connection will help reduce this problem. However,
  35. 'Paranoid Mode' is slow and you are probably better off just not mixing
  36. 'anonymous' and 'non-anonymous' activity in the first place.
  37. Where is the paranoid button located?
  38. Under the first tab ("Anonymize"), in the first section ("Welcome...", next to
  39. the big onion icon), you will see the toggling ghost-penguin button followed
  40. by a URL-like clickable link (mentioning the "paranoid mode").
  41. Click on the icon itself to toggle between the two modes. Clicking the
  42. URL-like clickable link next to it has another result, indeed. This was fixed
  43. in the CVS (added the icon to the menu and toolbar).
  44. Why can't Konqueror access the Internet through Tor?
  45. Konqueror works just fine when I setup its proxies manually (from kcontrol).
  46. Then I open Tork and it no longer works. It doesn't matter how I toggle Tork's
  47. Konqueror button. Then I have to manually restore Konqueror's proxies (in
  48. kcontrol), and Konqueror starts working again. That is, until I restart Tork,
  49. when all this happens again.
  50. Tor/TorK say my Tor server isn't reachable. What should I do?
  51. To make your Tor server visible to the world, there are a number of things you
  52. need to make sure are set up correctly.
  53. Step One
  54. Make sure your firewall is allowing traffic to Tor's server ports. These are
  55. the commands I added to my own firewall script (the host my instance of Tor is
  56. running on is 192.168.1.2):
  57. # Allow Tor to go through
  58. iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
  59. iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
  60. If you are wondering, 'Where's my firewall script?', then you should probably
  61. create one. This is mine, for what it's worth (and that's not much):
  62. #!/bin/bash
  63. #Load modules
  64. /sbin/modprobe ip_conntrack_ftp
  65. /sbin/modprobe ip_conntrack_irc
  66. #Flush old
  67. iptables -F
  68. iptables -t nat -F
  69. iptables -t mangle -F
  70. # Set policies
  71. iptables -P FORWARD DROP
  72. iptables -P OUTPUT ACCEPT
  73. iptables -P INPUT DROP
  74. # Allow loopback
  75. iptables -A INPUT -i lo -j ACCEPT
  76. # Allow Tor to go through
  77. iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9001 -j ACCEPT
  78. iptables -A INPUT -p tcp -d 192.168.1.2 --dport 9031 -j ACCEPT
  79. #bittracker portforwarding
  80. BTPORTS="7682 6881 6882 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
  81. for pt in $BTPORTS; do
  82. /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport $pt -j ACCEPT
  83. done
  84. iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
  85. iptables -N Flood-Scan
  86. iptables -A INPUT -p tcp -m tcp --syn -j Flood-Scan
  87. iptables -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN
  88. iptables -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: "
  89. iptables -A Flood-Scan -j DROP
  90. iptables -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
  91. iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  92. iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
  93. iptables -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT
  94. iptables -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
  95. iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
  96. iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
  97. iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
  98. iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j
  99. ACCEPT
  100. Save this to something like /etc/fwscript. Then do the following to the
  101. file:
  102. chmod +x /etc/fwscript
  103. To have the firewall set up every time you turn on your Linux box, add it to
  104. the local equivalent of your /etc/rc.d/rc.local file. If you don't know what
  105. that is then I'm afraid you're going to have to find out yourself.
  106. Step Two
  107. If you have a broadband connection you may need to configure your router to
  108. allow access to your Tor service. In most cases this means something like what
  109. I had to do with my own Zyxel prestige router. The instructions that follow
  110. are specific to my router but you should be able to do something similar with
  111. your own:
  112. robert@darkstar ~> telnet 192.168.1.1
  113. Trying 192.168.1.1...
  114. Connected to 192.168.1.1.
  115. Escape character is '^]'.
  116. Password:
  117. Then I got this screen:
  118. Copyright (c) 1994 - 2003 ZyXEL Communications Corp.
  119. Prestige 623R-T1 Main Menu
  120. Getting Started Advanced Management
  121. 1. General Setup 21. Filter Set Configuration
  122. 3. LAN Setup 22. SNMP Configuration
  123. 4. Internet Access Setup 23. System Password
  124. 24. System Maintenance
  125. Advanced Applications 25. IP Routing Policy Setup
  126. 11. Remote Node Setup 26. Schedule Setup
  127. 12. Static Routing Setup
  128. 15. NAT Setup
  129. 99. Exit
  130. Enter Menu Selection Number: 15
  131. I selected 'NAT Setup'.
  132. Menu 15 - NAT Setup
  133. 1. Address Mapping Sets
  134. 2. NAT Server Sets
  135. Enter Menu Selection Number:2
  136. I selected 'NAT Server Sets'.
  137. Menu 15.2 - NAT Server Sets
  138. 1. Server Set 1 (Used for SUA Only)
  139. 2. Server Set 2
  140. 3. Server Set 3
  141. 4. Server Set 4
  142. 5. Server Set 5
  143. 6. Server Set 6
  144. 7. Server Set 7
  145. 8. Server Set 8
  146. 9. Server Set 9
  147. 10. Server Set 10
  148. Enter Set Number to Edit: 1
  149. I selected the first one.
  150. Menu 15.2 - NAT Server Setup
  151. Rule Start Port No. End Port No. IP Address
  152. ---------------------------------------------------
  153. 1. Default Default 0.0.0.0
  154. 2. 0 0 0.0.0.0
  155. 3. 9031 9031 192.168.1.2
  156. 4. 9001 9001 192.168.1.2
  157. 5. 0 0 0.0.0.0
  158. 6. 0 0 0.0.0.0
  159. 7. 0 0 0.0.0.0
  160. 8. 0 0 0.0.0.0
  161. 9. 0 0 0.0.0.0
  162. 10. 0 0 0.0.0.0
  163. 11. 0 0 0.0.0.0
  164. 12. 0 0 0.0.0.0
  165. Press ENTER to Confirm or ESC to Cancel:
  166. As you might guess the address of my pc is 192.168.1.2 and I'm running my Tor
  167. ORPort on 9001 and my Tor DirPort on 9031.You're probably doing the same.
  168. That's it. Save your changes and exit the telnet session with the router.
  169. Step Three
  170. Your Tor server should now be reachable - unless you (or your distro) have
  171. done something exotic with your hosts.allow and hosts.deny files. Try starting
  172. your Tor server again from TorK and see what happens. If you are still
  173. experiencing problems try the Tor FAQ Entry for more possibilities.
  174. How do I use TorK to anonymize applications?
  175. The 'Anonymize' tab allows you to launch 'anonymized' instances of various
  176. applications with a single click.
  177. How can I be sure it's working?
  178. In the miniview, you should see the sites you are connecting to in their 'raw'
  179. form. For example, if you launched an 'Anonymous SSH session' and have typed
  180. the following in konsole:
  181. ssh me@my.shell.net
  182. You should see 'my.shell.net' in the miniview and not my.shell.net's IP
  183. address. If you see an IP address, that means your system has bypassed Tor to
  184. get the IP address for my.shell.net. This is a problem if you think someone
  185. might be using your domain name lookups to track your internet activity. If
  186. you are having this problem, you should delete all instance of libtsocks.so on
  187. your system and re-install TorK, that should ensure the correct library is
  188. being called to route all traffic through Tor.
  189. How is it meant to work?
  190. TorK uses two helper applications: 1. 'torify', a shell script installed with
  191. Tor; and 2. 'tsocks' a utility bundled and installed with TorK that ensures
  192. the application goes through Tor anonymously.
  193. OK, how does it really work?
  194. TorK launches the following command:
  195. torify name-of-your-app-here.
  196. The torify script calls a script called tsocks. This loads the libtsocks.so
  197. library dynamically linked to the application at runtime. The libtsocks.so
  198. library intercepts all of the application's TCP/IP calls and routes them
  199. through Tor, i.e. uses Tor as a SOCKS proxy.
  200. This tsocks, it's the one available at http://tsocks.sf.net right?
  201. No, it's a version of that one patched to intercept domain name resolutions as
  202. well as all other traffic. See this entry in the Tor FAQ to understand why
  203. this is desirable.
  204. Security/Anonymity FAQs
  205. Is Tor more secure than ordinary internet use?
  206. No. In some ways it's less secure (though this is just an opinion).
  207. Let me explain: The Tor network contains known eavesdroppers. These
  208. eavesdroppers are servers on the network that act as exit nodes (points in the
  209. Tor network where your traffic pops back out onto the internet proper). If you
  210. use plaintext authentication (e.g. type a name/password into a website that is
  211. not using a secure connection) and are using an eavesdropper as your exit
  212. node, that exit node can capture your username/password.
  213. But isn't there a risk of this happening in the ordinary internet anyway?
  214. Yes, of course there is. However, you do not know (for a fact) that there are
  215. computers listening to your ordinary internet connection - but you do know
  216. (now) that there are servers on the Tor network listening to traffic. And they
  217. could listen to yours if you do not behave securely. Put simply: Tor has a
  218. specific layer of exposure that is easily accessible to anyone who is
  219. interested in it. That is not true of non-Tor traffic.
  220. This is not a widely accepted opinion, to paraphrase Nigel Tufnell 'it's a
  221. fine line between paranoid and stupid', so for more info see:
  222. Tor Eavesdropping FAQ
  223. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1
  224. Where are all the other Security/Anonymity answers?
  225. I'll leave that to the experts:
  226. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ