diff --git a/README.md b/README.md index cc889ed..e316387 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,90 @@ -# torproject +# Torproject -Alles rund um das Torproject \ No newline at end of file +Aktuell stelle ich nur ein Installationsscript für Ubuntu zu Verfügung. +Man kann Tor Relay selbstverständlich auch aus den Paketquellen von Ubuntu installieren, jedoch sind die Pakete oft nicht aktuell und deshalb sicherheitstechnisch schwierig. + + +## Voraussetzungen: + +OS: `Ubuntu 22.04` + +Architektur: `amd64` + +## Installation + +Die Installation kann einfach gestartet werden: + +`curl -s https://git.media-techport.de/scriptos/torproject/raw/branch/main/tor-relay-installer-ubuntu2204.v1.sh | bash` + + +## Konfiguration + +Die Konfiguration wird üblicherweise nach der Installation mit `nano /etc/tor/torrc` vorgenommen. + +| Option | Beschreibung | Beispiel / Standardwert | +| ------------------------------ | ------------------------------------------------------------------ | ----------------------- | +| `SocksPort` | Gibt den Port an, auf dem Tor SOCKS-Anfragen entgegennimmt. | `9050` | +| `Log` | Legt fest, wo und in welchem Format Tor Protokolleinträge speichert.| `notice file /var/log/tor/notices.log` | +| `ExitPolicy` | Bestimmt, welche Art von Ausgangsverkehr vom Server erlaubt wird. | `reject *:*` | +| `HiddenServiceDir` | Verzeichnis, in dem Informationen zu versteckten Diensten gespeichert werden. | `/var/lib/tor/hidden_service/` | +| `HiddenServicePort` | Gibt die Portnummer an, die für einen versteckten Dienst verwendet wird. | `80 127.0.0.1:8080` | +| `ControlPort` | Port für die Tor-Steuerungsschnittstelle. | `9051` | +| `HashedControlPassword` | Passwort für die Authentifizierung an der Steuerungsschnittstelle. | `16:872860B760133C1D60E856594C8C704751AF76C584B510D` | +| `DataDirectory` | Speicherort für Tor-Laufzeitdaten. | `/var/lib/tor` | +| `GeoIPFile` | Pfad zur GeoIP-Datenbankdatei für die Standorterkennung. | `/usr/share/tor/geoip` | +| `HardwareAccel` | Aktiviert Hardware-Beschleunigung, falls verfügbar. | `1` | +| `ClientOnly` | Definiert, ob der Knoten nur als Client und nicht als Relay fungieren soll. | `1` | +| `RelayBandwidthRate` | Begrenzt die Bandbreite, die das Tor-Relay verwendet. | `100 KBytes` | +| `RelayBandwidthBurst` | Erlaubt kurzfristige Überschreitung der Bandbreitenbeschränkung. | `200 KBytes` | +| `ExcludeExitNodes` | Verhindert, dass bestimmte Knoten als Exit-Relays verwendet werden.| `{ru},{ua},{by}` | +| `NumEntryGuards` | Anzahl der Eintrittswächter, die Tor für Pfade verwendet. | `3` | +| `CircuitBuildTimeout` | Zeitlimit für den Aufbau eines Tor-Circuits. | `60` | +| `KeepalivePeriod` | Zeitintervall für das Senden von Keep-Alive-Nachrichten. | `60` | +| `NewCircuitPeriod` | Zeitraum, nach dem Tor automatisch neue Circuits erstellt. | `10` | +| `DisableNetwork` | Schaltet die Netzwerkfunktion von Tor temporär aus. | `0` | +| `UseBridges` | Gibt an, ob Tor Bridges anstelle von normalen Entry-Nodes verwenden soll. | `1` | +| `MyFamily` | Liste von Fingerabdrücken anderer Relays, die vom selben Betreiber verwaltet werden. | `MyFamily $keyid1,$keyid2,...` | + +Weitere Informationen stehen in der Konfigurationsdatei (auf Englisch) + +## Tor Relay starten + +Das Relay kann nach der Konfiguration mit `systemctl start tor.service` gestartet werden. + + +## Nyx in Verbindung mit Tor + +Nyx, früher bekannt als Arm (Anonymizing Relay Monitor), ist eine Befehlszeilenanwendung für die Überwachung und Steuerung von Tor-Knoten. Sie bietet: + +- Bietet detaillierte Echtzeit-Statistiken über den Betrieb eines Tor-Knotens. +- Einschließlich Bandbreitennutzung, Verbindungen, Logs und mehr. +- Ermöglicht das Überprüfen und Anpassen der Tor-Konfiguration direkt über die Anwendung. +- Zeigt eine Übersicht über den aktuellen Zustand des Tor-Netzwerks. +- Einsicht in Verbindungen, die durch den eigenen Knoten gehen. +- Anzeige von Tor-Logdateien in Echtzeit, nützlich für Fehlersuche und Monitoring. +- Trotz der Befehlszeilenbasis, bietet es eine benutzerfreundliche Schnittstelle. +- Ermöglicht auch weniger technisch versierten Benutzern effektive Überwachung und Verwaltung ihrer Tor-Instanzen. + +Nyx ist ein essenzielles Werkzeug für jeden, der einen Tor-Knoten betreibt, insbesondere für diejenigen, die eine detaillierte Übersicht und Kontrolle über ihre Tor-Instanzen benötigen. + +Nyx wir ganz einfach gestartet mit `nyx` + + +## UFW Firewall + +UFW kann folgendermaßen konfiguriert werden: + +`sudo ufw allow from any to any port 9001 proto tcp comment "ANY > TOR Onion Routing"` + +`sudo ufw allow from any to any port 9030 proto tcp comment "ANY > TOR Directory Port"` + +`ufw reload` + + +## Weiterführende Links + +- https://nyx.torproject.org/#config_editor +- https://deb.torproject.org/ +- https://community.torproject.org/de/onion-services/setup/install/#installing-tor-from-source +- https://support.torproject.org/de/relay-operators/ +- https://support.torproject.org/de/apt/tor-deb-repo/ diff --git a/tor-relay-installer-ubuntu2204.v1.sh b/tor-relay-installer-ubuntu2204.v1.sh new file mode 100644 index 0000000..01aa795 --- /dev/null +++ b/tor-relay-installer-ubuntu2204.v1.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# Script Name: tor-relay-installer-ubuntu2204.v1.sh +# Beschreibung: Installiert ein Tor-Relay +# Aufruf: curl -s https://git.media-techport.de/scriptos/torproject/raw/branch/main/tor-relay-installer-ubuntu2204.v1.sh | bash +# Autor: Patrick Asmus +# Web: https://www.media-techport.de +# Git-Reposit.: https://git.media-techport.de/scriptos/torproject.git +# Version: 1.0 +# Datum: 14.03.2024 +# Modifikation: Initiale Freigabe +##################################################### + +# Aktualisiere Paketlisten +sudo apt update +sudo apt install apt-transport-https -y + +# Füge Tor Repository hinzu +echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main" | sudo tee /etc/apt/sources.list.d/tor.list +echo "deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main" | sudo tee -a /etc/apt/sources.list.d/tor.list + +# Importiere und speichere den GPG-Schlüssel des Tor-Projekts +curl -s https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null + +# Installation der Pakete +sudo apt update +sudo apt install deb.torproject.org-keyring tor nyx -y + +cp /etc/tor/torrc /etc/tor/torrc.orig + +echo "" +echo "----------------------------------------------------" +echo "Bitte stelle sicher, dass die Konfiguration in Ordnung ist, bevor du Tor mit startest!" +echo " Die Konfiguration kannst du mit bearbeiten." +echo "----------------------------------------------------" diff --git a/torrc b/torrc new file mode 100644 index 0000000..766495f --- /dev/null +++ b/torrc @@ -0,0 +1,195 @@ +## Configuration file for a typical Tor user +## Last updated 9 October 2013 for Tor 0.2.5.2-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +OutboundBindAddress 0.0.0.0 + +## A handle for your relay, so people don't have to refer to it by key. +Nickname meinname + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 KB. +## Note that units for these config options are bytes per second, not bits +## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. +#RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps) +RelayBandwidthRate 3840 KBytes +RelayBandwidthBurst 5760 KBytes + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +#AccountingMax 4 GB +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +DirPort 9030 + +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentionally reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 + diff --git a/torrc.orig b/torrc.orig new file mode 100644 index 0000000..a05f52c --- /dev/null +++ b/torrc.orig @@ -0,0 +1,192 @@ +## Configuration file for a typical Tor user +## Last updated 9 October 2013 for Tor 0.2.5.2-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +#Nickname ididnteditheconfig + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 KB. +## Note that units for these config options are bytes per second, not bits +## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. +#RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps) + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +#AccountingMax 4 GB +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentionally reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 +