summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nonprism/tor-hardened-preferences/PKGBUILD30
-rw-r--r--nonprism/tor-hardened-preferences/tor-hardened-preferences.install81
-rw-r--r--nonprism/tor-hardened-preferences/tor-hardened.service5
-rw-r--r--nonprism/tor-hardened-preferences/tor-hardened.sh23
-rw-r--r--nonprism/tor-hardened-preferences/torchroot.sh35
-rw-r--r--nonprism/tor-hardened-preferences/torrc49
6 files changed, 223 insertions, 0 deletions
diff --git a/nonprism/tor-hardened-preferences/PKGBUILD b/nonprism/tor-hardened-preferences/PKGBUILD
new file mode 100644
index 000000000..752bc9494
--- /dev/null
+++ b/nonprism/tor-hardened-preferences/PKGBUILD
@@ -0,0 +1,30 @@
+# Maintainer: Luke R. <g4jc@openmailbox.org> GPG: rsa4096/3EAE8697
+# Contributor: André Silva <emulatorman@parabola.nu>
+
+pkgname=tor-hardened-preferences
+pkgver=0.1
+pkgrel=1
+pkgdesc="Creates clean chroot for TOR to run in, and cleans left over files when done running."
+arch=(any)
+license=(GPL3)
+depends=('tor')
+url="https://wiki.parabola.nu/Nonprism"
+install=tor-hardened-preferences.install
+source=('tor-hardened.service'
+'tor-hardened.sh'
+'torrc'
+'torchroot.sh'
+'tor-hardened-preferences.install')
+sha512sums=('2bd9ecdc089b49358e4fd1d4cddbc7e6260ab56c0c870f287bb8e4a8553111902df8222d3836046bdf011d2c02123e24cebfe1d9ca88259c7bd61e308bf68c77'
+ '26ca71558e0651858226fe475cd96456e4c9039f1954832e7a7b7011b31b67e82dadd6d033059f88dd8ed355ac9dd4568058f04482c7011d6f0ae47726c9c557'
+ '5d732ddbd96c0467434a03c1ba3aa14f5536affb1fa713a78b0d95eccefbfe4c9b6d68fefcbbf7fc9f23e5e80e4ddfb67f2047ad3bdd14a0b5bb72a9e947404e'
+ 'd767d55763ad2952e1620260fe92d3cd15383454ec7cae17432c8294bbc056ac5a91d9bf958b4a6bef4000d9bc78ca2411c6e6e48b352ec64fb33a8c0f2da98f'
+ '025b2b8ec7c74908af43b13d6dbb7fc85901b7f6e9899ab8e0cfc5f6d806d37d137378d4ef44f04e39250f874cdbe4152357e9e778a007833b779217978d49bb')
+
+package() {
+ mkdir -p ${pkgdir}/opt/tor-hardened-scripts
+ install -Dm755 tor-hardened.sh ${pkgdir}/opt/tor-hardened-scripts/tor-hardened.sh
+ install -Dm644 torrc ${pkgdir}/opt/tor-hardened-scripts/torrc
+ install -Dm755 torchroot.sh ${pkgdir}/opt/tor-hardened-scripts/torchroot.sh
+ install -Dm0644 "${srcdir}/tor-hardened.service" "${pkgdir}/usr/lib/systemd/system/tor-hardened.service"
+}
diff --git a/nonprism/tor-hardened-preferences/tor-hardened-preferences.install b/nonprism/tor-hardened-preferences/tor-hardened-preferences.install
new file mode 100644
index 000000000..21c1d9f08
--- /dev/null
+++ b/nonprism/tor-hardened-preferences/tor-hardened-preferences.install
@@ -0,0 +1,81 @@
+pre_install() {
+ echo "Cleaning any old chroots before installing a new one..."
+ rm -rf /opt/torchroot
+}
+
+post_install() {
+ echo "Installing a new chroot ... "
+ /usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh"
+ wait
+ echo "Done!"
+ echo "====="
+ echo "To use this service please disable tor.service"
+ echo "then enable/start tor-hardened.service via systemctl."
+ echo "----"
+ echo "You may now use stream isolated ports for added security."
+ echo "Please configure your applications as follows:"
+ echo "Default Port: 9050"
+ echo "Mail Client isolated port: 9061"
+ echo "Browser isolated port: 9150"
+ echo "Other applications you want isolated: 9062"
+ echo "----"
+ echo "To use TOR as your DNS resolver:"
+ echo "Place ONLY this line into /etc/resolv.conf:"
+ echo "nameserver 127.0.0.1"
+ echo "Apply the following firewall rules:"
+ echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+ echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+ echo "----"
+ echo "To request new IP from TOR:"
+ echo "killall -HUP tor"
+ echo "---"
+ echo "Advanced usage, not recommended:"
+ echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:"
+ echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040"
+ echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit."
+ echo "====="
+}
+
+post_upgrade() {
+ systemctl stop tor-hardened
+ echo "Cleaning old chroot and putting in a new one..."
+ rm -rf /opt/torchroot
+ wait
+ /usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh"
+ wait
+ echo "Done!"
+ echo "====="
+ echo "To use this service please disable tor.service"
+ echo "then enable/start tor-hardened.service via systemctl."
+ echo "----"
+ echo "You may now use stream isolated ports for added security."
+ echo "Please configure your applications as follows:"
+ echo "Default Port: 9050"
+ echo "Mail Client isolated port: 9061"
+ echo "Browser isolated port: 9150"
+ echo "Other applications you want isolated: 9062"
+ echo "----"
+ echo "To use TOR as your DNS resolver:"
+ echo "Place ONLY this line into /etc/resolv.conf:"
+ echo "nameserver 127.0.0.1"
+ echo "Apply the following firewall rules:"
+ echo "iptables -t nat -A OUTPUT -p TCP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+ echo "iptables -t nat -A OUTPUT -p UDP --dport 53 -j DNAT --to-destination 127.0.0.1:9053"
+ echo "----"
+ echo "To request new IP from TOR:"
+ echo "killall -HUP tor"
+ echo "---"
+ echo "Advanced usage, not recommended:"
+ echo "To torify ALL TCP traffic, you can use TorTransport without stream isolation:"
+ echo "iptables -t nat -A OUTPUT -p TCP -m owner ! --uid-owner tor -j DNAT --to-destination 127.0.0.1:9040"
+ echo "WARNING: UDP traffic may still leak! All traffic goes through single port. Apply additional iptables rules as you see fit."
+ echo "====="
+ systemctl daemon-reload
+}
+
+post_remove() {
+ echo "Deleting chroot..."
+ rm -rf /opt/torchroot
+ wait
+ echo "Done!"
+} \ No newline at end of file
diff --git a/nonprism/tor-hardened-preferences/tor-hardened.service b/nonprism/tor-hardened-preferences/tor-hardened.service
new file mode 100644
index 000000000..117c0644e
--- /dev/null
+++ b/nonprism/tor-hardened-preferences/tor-hardened.service
@@ -0,0 +1,5 @@
+[Service]
+User=root
+ExecStart=
+ExecStart=/usr/bin/sh -c "/opt/tor-hardened-scripts/tor-hardened.sh"
+KillSignal=SIGINT \ No newline at end of file
diff --git a/nonprism/tor-hardened-preferences/tor-hardened.sh b/nonprism/tor-hardened-preferences/tor-hardened.sh
new file mode 100644
index 000000000..c9fe36795
--- /dev/null
+++ b/nonprism/tor-hardened-preferences/tor-hardened.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+##############################################
+# Tor-Hardened Cleaner & Startup Script #
+##############################################
+# Clean left over files
+echo "Cleaning any files left over from a previous run..."
+rm /opt/torchroot/var/lib/tor/*
+# Detect old version and upgrade
+Torchroothash=$(sha256sum /opt/torchroot/usr/bin/tor | awk '{print $1}')
+Toroutsidehash=$(sha256sum /usr/bin/tor | awk '{print $1}')
+if [ "$Torchroothash" != "$Toroutsidehash" ]
+then
+ echo "New version of Tor detected! Updating chroot before running."
+ rm -rf /opt/torchroot
+ wait
+ /usr/bin/sh -c "/opt/tor-hardened-scripts/torchroot.sh"
+ wait
+fi
+
+# Start Tor inside of our chroot
+echo "Running Tor..."
+chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc \ No newline at end of file
diff --git a/nonprism/tor-hardened-preferences/torchroot.sh b/nonprism/tor-hardened-preferences/torchroot.sh
new file mode 100644
index 000000000..b8336b65b
--- /dev/null
+++ b/nonprism/tor-hardened-preferences/torchroot.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# torchroot generate script
+export TORCHROOT=/opt/torchroot
+
+mkdir -p $TORCHROOT
+mkdir -p $TORCHROOT/etc/tor
+mkdir -p $TORCHROOT/dev
+mkdir -p $TORCHROOT/usr/bin
+mkdir -p $TORCHROOT/usr/lib
+mkdir -p $TORCHROOT/usr/share/tor
+mkdir -p $TORCHROOT/var/lib
+
+ln -s /usr/lib $TORCHROOT/lib
+# Replace this line if you want to copy your own torrc instead of the one provided by hardened script.
+cp /opt/tor-hardened-scripts/torrc $TORCHROOT/etc/tor/
+
+cp /usr/bin/tor $TORCHROOT/usr/bin/
+cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
+cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
+cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/
+cp -r /var/lib/tor $TORCHROOT/var/lib/
+chown -R tor:tor $TORCHROOT/var/lib/tor
+
+sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"
+sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"
+
+mknod -m 644 $TORCHROOT/dev/random c 1 8
+mknod -m 644 $TORCHROOT/dev/urandom c 1 9
+mknod -m 666 $TORCHROOT/dev/null c 1 3
+
+if [[ "$(uname -m)" == "x86_64" ]]; then
+ cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
+ ln -sr /usr/lib64 $TORCHROOT/lib64
+ ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
+fi \ No newline at end of file
diff --git a/nonprism/tor-hardened-preferences/torrc b/nonprism/tor-hardened-preferences/torrc
new file mode 100644
index 000000000..e0740b6f7
--- /dev/null
+++ b/nonprism/tor-hardened-preferences/torrc
@@ -0,0 +1,49 @@
+## Configuration file for an atypical Tor user
+## Based on torrc configurations provided by...
+# https://gitweb.torproject.org/tor.git/plain/src/config/torrc.sample.in
+# https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/tor/torrc
+# https://www.torproject.org/docs/tor-manual.html.en
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+DataDirectory /var/lib/tor
+
+# Stream Isolation
+## https://tails.boum.org/contribute/design/stream_isolation/
+## https://wiki.gentoo.org/wiki/Tor#Stream_isolation
+
+## Default SocksPort
+SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort
+
+## SocksPort for the MUA
+SocksPort 127.0.0.1:9061 IsolateDestAddr
+
+## SocksPort for misc applications
+SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort
+
+## SocksPort for the default web browser
+SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
+
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+#ControlPort 9051
+#ControlListenAddress 127.0.0.1
+
+
+
+## Torified DNS
+DNSPort 127.0.0.1:9053 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr
+AutomapHostsOnResolve 1
+AutomapHostsSuffixes .exit, .onion
+#ClientDNSRejectInternalAddresses 1 (Default is already 1)
+ClientRejectInternalAddresses 1
+
+## Transparent proxy
+TransPort 127.0.0.1:9040 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr
+
+## Misc
+AvoidDiskWrites 1
+Sandbox 1
+ExtraInfoStatistics 0
+EnforceDistinctSubnets 1 \ No newline at end of file