Skip to main content

Setting up a TOR Relay on Mageia6

The Onion Router (TOR) is not a server frequently run by most Linux users, especially North American users. Many countries actively persecute their citizens for their beliefs and anonymity is important for their safety, so I wanted to participate in the effort to assist this project by running a TOR relay server.

I have a dedicated computer that runs a webserver for a hobby site, so I felt that it would be the logical hardware to run the TOR server. It is important for TOR to have access to the correct and accurate time, so the NTP client needs to be installed and configured for your timezone.

Configure the NTP Server
$ xsudo drakwizard ntp
and follow the instructions here to install and configure it. You can launch X-applications over ssh using xsudo.

Install the TOR Application
$ sudo urpmi tor
This will also install the SOCKS proxy software. You may also install a GUI configuration tool, vidalia. We won't be using vidalia, so it won't be covered here.

How to Manage TOR
Vidalia is OK if we were running TOR from our desktop machine, but we want to run the TOR server on a remote machine and have it start and restart automatically and do all the configuration from the command line, like real men and women.

You will discover many ways to manage your TOR server with an Internet search, most are for Ubuntu-ish distros or are hopelessly out of date. None are for Mageia. We could ssh into the remote machine and, using the screen command, start TOR manually or even script it to start remotely from our desktop using ssh and screen or even use an rc.local method to control the server. That's great as far as that goes, but let's look at what Mageia provides and you'll see that it is surprisingly easy to accomplish.

The TOR User and Configuration
Mageia runs the server as user toruser and by default, uses the defaults-torrc at /usr/share/tor. It will look next at /etc/tor/torrc and then at ~/.tor.torrc. If they exist, it combines them and if there are conflicting entries, it last value it finds is the one it uses. The defaults-torrc file looks like this:
DataDirectory /var/lib/tor
DataDirectoryGroupReadable 1
User toruser
Log notice syslog

Note that the logs will be routed to syslog at the notice level. The TOR Project cautions you against using any more detailed (i.e. higher) logging levels because a malicious agent could glean useful identifying information about the identities of users who are trusting you to safeguard their anonymity. 

We also want TOR to keep its logs in its own logs rather than incorporate them into the systems logs. We'll accomplish this through the use of a feature included within tor. The application first reads its configuration data from /usr/share/tor/default-torrc, then from /etc/tor/torrc and the from ~/.tor/torrc. Each step will override any variable set in the previous step.

The file at /etc/tor/torrc is a fully commented file that lists all the options. Make a backup of this file and create a torrc file that contains:
RunAsDaemon 1
ORPort 9001
DirPort 9030
Nickname YourServerNickname
ContactInfo ContactName
Log notice
ExitPolicy reject *:* # no exits allowed
Configured in this way, TOR picks up the configuration from both files and combines them.

Make TOR Start at Boot
$ sudo systemctl enable tor

Open Your Firewall Ports
You will need to open the above two ports on your firewall or router as necessary. Make sure the NTP server is running (TOR will not run without it; this seems to be a common error).

Start TOR the First Time
$ sudo systemctl start tor.service

Check TOR Status
$ sudo systemctl status tor.service

Other Configuration Choices
There are, of course, more sophisticated configurations of TOR which can be explored at the Tor Project website.

How Are You Doing?
Check out your new TOR server at Relay Search.

System Security
Security for your Mageia system is very important, especially for a sever that is accessible from the Internet.

DNF-Automatic
Keep your system updated by installing dnf-automatic; read the docs there and this will keep your system updated automatically.
$ sudo dnf install dnf-automatic
Then log in as root,
# systemctl enable --now dnf-automatic-install.timer

MSEC
Overall system security for Mageia is managed by MSEC. We can set the default security permissions we require from the command line with,
$ sudo msec webserver

SSH
You must use ssh to log in to remote machines. Not only that, you should use cryptographic keys ONLY to log in. Look here for information on  configuring ssh access to use cryptographic keys instead of passwords. You need to disable password authentication as well, as directed there.

Additional Security Measures
It is also recommended you install and configure sshutout, chkrootkit and rkhunter

Notifications-Mail
It is important that you receive security notifications about what is going on. After establishing a Gmail account for your TOR server, your system needs to be configured to be able to send those notices from it using the already-installed /bin/mail MTA as described here as postfix, ssmtp and sendmail along with their complicated configuration are not needed

Notifications-UptimeIt's also important that you be notified if the TOR server is not running. A free service for this is offered from Uptime Robot. It is very simple and free to establish an account that monitors your servers uptime and notifies you if the server is not available.

UPDATE
While I was able to get the server up and running correctly, my ISP eventually blocked ports 9001 and 9030. Suggestions? 8(

Comments
Please feel free to offer comments and criticisms. I very much enjoy your feedback.

RESOURCES
The TOR Project
https://www.torproject.org/

The TOR Project Documentation
https://2019.www.torproject.org/docs/documentation.html.en

The TOR WIKI
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

Configure Time Network Services for Mageia
https://doc.mageia.org/mcc/6/en/content/drakwizard_ntp.html

Enable rc.local service for Mageia
https://forums.mageia.org/en/viewtopic.php?f=7&t=8627

Enable rc.local with systemd
https://www.linuxbabe.com/linux-server/how-to-enable-etcrc-local-with-systemd

screen Command in Linux with Examples
https://www.geeksforgeeks.org/screen-command-in-linux-with-examples/

runuser Command
https://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/

Setting up a TOR Relay, /etc/tor/torrc
https://blog.gaborszathmari.me/setting-up-tor-relay-cryptoparty/

How to Easily Install Tor Browser in Ubuntu and Other Linux
https://itsfoss.com/install-tar-browser-linux/

Vidalia Setup for Mint/Ubuntu Linux
https://whattheserver.com/vidalia-setup-for-mintubuntu-linux/

TOR Relay Search
https://metrics.torproject.org/

DNF-Automatic Docs
https://dnf.readthedocs.io/en/latest/automatic.html

Mageia MSEC
https://wiki.mageia.org/en/Msec

SSHUTOUT
http://freshmeat.sourceforge.net/projects/sshutout

RKHUNTER
http://rkhunter.sourceforge.net/

CHKROOTKIT
http://www.chkrootkit.org/

SSH Keys
https://bosnadev.com/2015/01/23/ssh-authentication-keys-instead-passwords/

UptimeRobot
https://uptimerobot.com/dashboard#mainDashboard

Comments

Popular posts from this blog

DOS4GW.EXE Version 2.01a and Alternative DOS Extenders

DOS4GW.EXE
The TenberryDOS extender DOS4GW.EXE was used by many early DOS games. I still enjoy playing many of these games and DOS4GW.EXE is usable with DOSBox, so they can be played on Linux.

However, the version of DOS4GW.EXE that was included with the game was whatever was current at the time. The most recent version that includes many bugfixes that possibly affected the games when used with DOSBox have been fixed in the latest version, 2.01a.

It's not free at US$49, but you can downloaded it here. Simply substitute it for whatever version of DOS4GW.EXE your game provided and enjoy the bug-fixed goodness. Tenberry also makes a "high-performance" "pro" version of DOS4GW.EXE, but it costs $300. I think that they could sell quite a few of these to hobby users (since, you know, DOS is dead) for US$5.

Open Souce to the Rescue
There are better performing, free and Open Source alternatives available and worth a look.

DPMI Explained
But first, let's understand w…

Unreal Tournament GOTY/UT99 for Modern Linux

Released on November 16, 1999, Unreal Tournament (also known as UT99) is an arena first-person shooter for Multiplayer on-line competition or you cam play against bots off-line. It features several game types, with more details provided at Wikipedia. The game was re-released on February 25, 2000 as Unreal Tournament Game of the Year Edition (GOTY) which included the three bonus packs released previously and additional mods, or game modifiers that had become popular. It is the GOTY version that is available from STEAM of GOG.com.

The GOG version for Windows installs in Linux and plays well using WINE, PlayOnLinux or Codeweaver's Crossover.

There is a Linux binary available in two versions, one for the original game and one for the GOTY edition. Also provided at that site is the Official Bonus Pack with a Linux installer. All these Linux installers are created with makeself.

There are some issues using such a crusty old Linux binary. Let's see why getting a Linux binary up and …

Unpack those .EXE game files from GOG,com (Plus other un-packers)

I just came upon innoextract today. I have many of the wonderful games from GOG.com, some of which have native Linux Clients. Before now, I've had to use PlayOnLinux or Crossover to install these for use with WINE, then add the Linux client.

InnoSetup as a way to create an installer to install the games on Windows. Daniel Scharrer has created innoextract to allow the unpacking of those archives on a non-Windows platform.

The website provides information on using innoextract, but this information from the page is very useful:
GOG.com Installers GOG.com installers with a 2.x.x version number on the download page or in the filename use InnoSetup 5.5.0 and cannot be extracted by innoextract 1.2 and older. Older installers use InnoSetup 5.2.3 and usually have no version in the filename. Some GOG.com multi-part installers with version 2.1.x or higher use RAR archives (renamed to .bin) to store the game data. These files are not part of the InnoSetup installer and require unrar or unar to…