From efa2afdf227ea5f566ffe86680acfa86a0db10d1 Mon Sep 17 00:00:00 2001 From: Gaming4JC Date: Sun, 26 Feb 2017 10:56:41 -0500 Subject: add tor-hardened-preferences to nonprism --- nonprism/tor-hardened-preferences/PKGBUILD | 30 ++++++++ .../tor-hardened-preferences.install | 81 ++++++++++++++++++++++ .../tor-hardened-preferences/tor-hardened.service | 5 ++ nonprism/tor-hardened-preferences/tor-hardened.sh | 23 ++++++ nonprism/tor-hardened-preferences/torchroot.sh | 35 ++++++++++ nonprism/tor-hardened-preferences/torrc | 49 +++++++++++++ 6 files changed, 223 insertions(+) create mode 100644 nonprism/tor-hardened-preferences/PKGBUILD create mode 100644 nonprism/tor-hardened-preferences/tor-hardened-preferences.install create mode 100644 nonprism/tor-hardened-preferences/tor-hardened.service create mode 100644 nonprism/tor-hardened-preferences/tor-hardened.sh create mode 100644 nonprism/tor-hardened-preferences/torchroot.sh create mode 100644 nonprism/tor-hardened-preferences/torrc (limited to 'nonprism') diff --git a/nonprism/tor-hardened-preferences/PKGBUILD b/nonprism/tor-hardened-preferences/PKGBUILD new file mode 100644 index 000000000..752bc9494 --- /dev/null +++ b/nonprism/tor-hardened-preferences/PKGBUILD @@ -0,0 +1,30 @@ +# Maintainer: Luke R. GPG: rsa4096/3EAE8697 +# Contributor: André Silva + +pkgname=tor-hardened-preferences +pkgver=0.1 +pkgrel=1 +pkgdesc="Creates clean chroot for TOR to run in, and cleans left over files when done running." +arch=(any) +license=(GPL3) +depends=('tor') +url="https://wiki.parabola.nu/Nonprism" +install=tor-hardened-preferences.install +source=('tor-hardened.service' +'tor-hardened.sh' +'torrc' +'torchroot.sh' +'tor-hardened-preferences.install') +sha512sums=('2bd9ecdc089b49358e4fd1d4cddbc7e6260ab56c0c870f287bb8e4a8553111902df8222d3836046bdf011d2c02123e24cebfe1d9ca88259c7bd61e308bf68c77' + '26ca71558e0651858226fe475cd96456e4c9039f1954832e7a7b7011b31b67e82dadd6d033059f88dd8ed355ac9dd4568058f04482c7011d6f0ae47726c9c557' + '5d732ddbd96c0467434a03c1ba3aa14f5536affb1fa713a78b0d95eccefbfe4c9b6d68fefcbbf7fc9f23e5e80e4ddfb67f2047ad3bdd14a0b5bb72a9e947404e' + 'd767d55763ad2952e1620260fe92d3cd15383454ec7cae17432c8294bbc056ac5a91d9bf958b4a6bef4000d9bc78ca2411c6e6e48b352ec64fb33a8c0f2da98f' + '025b2b8ec7c74908af43b13d6dbb7fc85901b7f6e9899ab8e0cfc5f6d806d37d137378d4ef44f04e39250f874cdbe4152357e9e778a007833b779217978d49bb') + +package() { + mkdir -p ${pkgdir}/opt/tor-hardened-scripts + install -Dm755 tor-hardened.sh ${pkgdir}/opt/tor-hardened-scripts/tor-hardened.sh + install -Dm644 torrc ${pkgdir}/opt/tor-hardened-scripts/torrc + install -Dm755 torchroot.sh ${pkgdir}/opt/tor-hardened-scripts/torchroot.sh + install -Dm0644 "${srcdir}/tor-hardened.service" "${pkgdir}/usr/lib/systemd/system/tor-hardened.service" +} diff --git a/nonprism/tor-hardened-preferences/tor-hardened-preferences.install b/nonprism/tor-hardened-preferences/tor-hardened-preferences.install new file mode 100644 index 000000000..21c1d9f08 --- /dev/null +++ b/nonprism/tor-hardened-preferences/tor-hardened-preferences.install @@ -0,0 +1,81 @@ +pre_install() { + echo "Cleaning any old chroots before installing a new one..." + rm -rf /opt/torchroot +} + +post_install() { + echo "Installing a new chroot ... " + /usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh" + wait + echo "Done!" + echo "=====" + echo "To use this service please disable tor.service" + echo "then enable/start tor-hardened.service via systemctl." + echo "----" + echo "You may now use stream isolated ports for added security." + echo "Please configure your applications as follows:" + echo "Default Port: 9050" + echo "Mail Client isolated port: 9061" + echo "Browser isolated port: 9150" + echo "Other applications you want isolated: 9062" + echo "----" + echo "To use TOR as your DNS resolver:" + echo "Place ONLY this line into /etc/resolv.conf:" + echo "nameserver 127.0.0.1" + echo "Apply the following firewall rules:" + echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053" + echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053" + echo "----" + echo "To request new IP from TOR:" + echo "killall -HUP tor" + echo "---" + echo "Advanced usage, not recommended:" + echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:" + echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040" + echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit." + echo "=====" +} + +post_upgrade() { + systemctl stop tor-hardened + echo "Cleaning old chroot and putting in a new one..." + rm -rf /opt/torchroot + wait + /usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh" + wait + echo "Done!" + echo "=====" + echo "To use this service please disable tor.service" + echo "then enable/start tor-hardened.service via systemctl." + echo "----" + echo "You may now use stream isolated ports for added security." + echo "Please configure your applications as follows:" + echo "Default Port: 9050" + echo "Mail Client isolated port: 9061" + echo "Browser isolated port: 9150" + echo "Other applications you want isolated: 9062" + echo "----" + echo "To use TOR as your DNS resolver:" + echo "Place ONLY this line into /etc/resolv.conf:" + echo "nameserver 127.0.0.1" + echo "Apply the following firewall rules:" + echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053" + echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053" + echo "----" + echo "To request new IP from TOR:" + echo "killall -HUP tor" + echo "---" + echo "Advanced usage, not recommended:" + echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:" + echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040" + echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit." + echo "=====" + systemctl daemon-reload +} + +post_remove() { + echo "Deleting chroot..." + rm -rf /opt/torchroot + wait + echo "Done!" +} \ No newline at end of file diff --git a/nonprism/tor-hardened-preferences/tor-hardened.service b/nonprism/tor-hardened-preferences/tor-hardened.service new file mode 100644 index 000000000..117c0644e --- /dev/null +++ b/nonprism/tor-hardened-preferences/tor-hardened.service @@ -0,0 +1,5 @@ +[Service] +User=root +ExecStart= +ExecStart=/usr/bin/sh -c "/opt/tor-hardened-scripts/tor-hardened.sh" +KillSignal=SIGINT \ No newline at end of file diff --git a/nonprism/tor-hardened-preferences/tor-hardened.sh b/nonprism/tor-hardened-preferences/tor-hardened.sh new file mode 100644 index 000000000..c9fe36795 --- /dev/null +++ b/nonprism/tor-hardened-preferences/tor-hardened.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +############################################## +# Tor-Hardened Cleaner & Startup Script # +############################################## +# Clean left over files +echo "Cleaning any files left over from a previous run..." +rm /opt/torchroot/var/lib/tor/* +# Detect old version and upgrade +Torchroothash=$(sha256sum /opt/torchroot/usr/bin/tor | awk '{print $1}') +Toroutsidehash=$(sha256sum /usr/bin/tor | awk '{print $1}') +if [ "$Torchroothash" != "$Toroutsidehash" ] +then + echo "New version of Tor detected! Updating chroot before running." + rm -rf /opt/torchroot + wait + /usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh" + wait +fi + +# Start Tor inside of our chroot +echo "Running Tor..." +chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc \ No newline at end of file diff --git a/nonprism/tor-hardened-preferences/torchroot.sh b/nonprism/tor-hardened-preferences/torchroot.sh new file mode 100644 index 000000000..b8336b65b --- /dev/null +++ b/nonprism/tor-hardened-preferences/torchroot.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# torchroot generate script +export TORCHROOT=/opt/torchroot + +mkdir -p $TORCHROOT +mkdir -p $TORCHROOT/etc/tor +mkdir -p $TORCHROOT/dev +mkdir -p $TORCHROOT/usr/bin +mkdir -p $TORCHROOT/usr/lib +mkdir -p $TORCHROOT/usr/share/tor +mkdir -p $TORCHROOT/var/lib + +ln -s /usr/lib $TORCHROOT/lib +# Replace this line if you want to copy your own torrc instead of the one provided by hardened script. +cp /opt/tor-hardened-scripts/torrc $TORCHROOT/etc/tor/ + +cp /usr/bin/tor $TORCHROOT/usr/bin/ +cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/ +cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/ +cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/ +cp -r /var/lib/tor $TORCHROOT/var/lib/ +chown -R tor:tor $TORCHROOT/var/lib/tor + +sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd" +sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group" + +mknod -m 644 $TORCHROOT/dev/random c 1 8 +mknod -m 644 $TORCHROOT/dev/urandom c 1 9 +mknod -m 666 $TORCHROOT/dev/null c 1 3 + +if [[ "$(uname -m)" == "x86_64" ]]; then + cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/. + ln -sr /usr/lib64 $TORCHROOT/lib64 + ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64 +fi \ No newline at end of file diff --git a/nonprism/tor-hardened-preferences/torrc b/nonprism/tor-hardened-preferences/torrc new file mode 100644 index 000000000..e0740b6f7 --- /dev/null +++ b/nonprism/tor-hardened-preferences/torrc @@ -0,0 +1,49 @@ +## Configuration file for an atypical Tor user +## Based on torrc configurations provided by... +# https://gitweb.torproject.org/tor.git/plain/src/config/torrc.sample.in +# https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/tor/torrc +# https://www.torproject.org/docs/tor-manual.html.en + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +# Stream Isolation +## https://tails.boum.org/contribute/design/stream_isolation/ +## https://wiki.gentoo.org/wiki/Tor#Stream_isolation + +## Default SocksPort +SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort + +## SocksPort for the MUA +SocksPort 127.0.0.1:9061 IsolateDestAddr + +## SocksPort for misc applications +SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort + +## SocksPort for the default web browser +SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth + + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +#ControlListenAddress 127.0.0.1 + + + +## Torified DNS +DNSPort 127.0.0.1:9053 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr +AutomapHostsOnResolve 1 +AutomapHostsSuffixes .exit, .onion +#ClientDNSRejectInternalAddresses 1 (Default is already 1) +ClientRejectInternalAddresses 1 + +## Transparent proxy +TransPort 127.0.0.1:9040 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr + +## Misc +AvoidDiskWrites 1 +Sandbox 1 +ExtraInfoStatistics 0 +EnforceDistinctSubnets 1 \ No newline at end of file -- cgit v1.2.2