Tor

Tor is an internet anonymity system.

Emerge
Install

To start immediately

To start at boot

Emerge Messages
* Messages for package net-misc/tor-0.2.3.25:

* We created a configuration file for tor, /etc/tor/torrc, but you can * change it according to your needs. Use the torrc.sample that is in * that directory as a guide. Also, to have privoxy work with tor * just add the following line * * forward-socks4a / localhost:9050. * * to /etc/privoxy/config. Notice the. at the end!

Firefox
Edit > Preferences

Advanced > Network > Settings manual proxy configuration: http proxy          port: 0 ssl proxy           port: 0 ftp proxy           port: 0 socks host 127.0.0.1 port: 9050

Go to about:config and set the following:

network.proxy.socks_remote_dns   true network.dns.disablePrefetch      true network.dns.disableIPv6          true

This way Firefox will resolve host names via tor, thus preventing DNS leaks.

xombrero
Edit .xombrero.conf and add there the following lines:

browser_mode			=	whitelist http_proxy			=	socks5://127.0.0.1:9050 http_proxy_starts_enabled	=	1 home				=	https://check.torproject.org keybinding			=	tabnew,F2 work_dir			=	/tmp/.xombrero download_dir			=	/tmp/downloads
 * 1) Browser mode, MUST be the first entry in this file
 * 1) Proxy settings
 * 1) Homepage
 * 1) Disable F2 so as not to toggle proxy settings by accident
 * 1) Work directory (mount /tmp as tmpfs)
 * 1) Download directory

Optionally, it is possible to set different user_agent and http_accept strings. There are two files with user_agent string and http_accept headers in xombrero source code folder: user-agent-headers and http-accept-headers. These strings can be easily selected and added to the .xombrero.conf file with the following commands:

Dns
Some applications may leak DNS requests. The easiest way to check if this really happens is to look at system logs.

If an application is configured correctly, nothing shows in the logs. Below is an example of a message for a misconfigured application (or for a webpage that stores links in form of IP addresses):

Oct 14 14:44:44 localhost Tor[666]: Your application (using socks5 to port 80) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.

In order to check how this works, one needs to give an application an IP address instead of a domain name, retrieved by running the tor-resolve command for example.

Disabling non-Tor traffic
The following iptables rules will prevent non-Tor traffic leaving the host and disable all new connections from outside in case if the host must be configured as a Tor client:

Torify
emerge -av net-proxy/torsocks For applications which do not support the use of proxies or Tor, you can use the "torify" command to force their traffic through the Tor network. (e.g. - torify irssi -c irc.afraidirc.net or torify irssi -c mqctemuqfc3tp5ji.onion).

Tor Minimal Configuration
The following is a minimal configuration of Tor which will get your Tor service up and running.

Just create your /etc/tor/torrc file with the following information.

User tor PIDFile /var/run/tor/tor.pid Log notice syslog DataDirectory /var/lib/tor/data

Stream Isolation
Accessing a site of a small town where you are the only one user of Tor would greatly increase attacker's chances to find you. Other examples include mixing gpg traffic with the traffic of a web browser or mixing irssi circuits with the circuits of a bitcoin wallet. In all cases an exit node can make correlation between separate activities. So, sometimes it's necessary to have a few different anonymity modes. Stream isolation provides an easy way to separate different Tor circuits and make different applications use isolated streams. In order to use stream isolation, add as many socks ports as necessary in torrc.

Configure the applications to point to different socks ports. All requests made to different socks ports will then pass through different Tor circuits and get different exit nodes. Sometimes Tor will only use a different entry guard or middle relay, though. This behavior is considered normal.

Setting up a Hidden Service
Setting up a tor hidden service is easy.

All you need to do is add 2 lines to your /etc/tor/torrc configuration file, and make sure your permissions are correct for the data directory.

HiddenServiceDir /tor/hiddenservice HiddenServicePort 80 127.0.0.1:80

The first line tells Tor to insert the public&private keys into the directory specified.

The next line tells Tor to direct traffic on hidden service port 80 to the IP & port specified.

You will need to make sure that the directory is owned and only readable/writable by tor, for example:

chown tor /tor/hiddenservice -R && chmod u+rw,g-rw,o-rw /tor/hiddenservice -R

Simple command line file downloading
You can download almost any resource located at a given URL and save it in a FILE using the following:

curl --socks5-hostname 127.0.0.1:9050 -o FILE URL

The --socks5-hostname means that hostnames are resolved via tor instead of your system's DNS resolution, thus preventing DNS leaks.

Portage
You can configure Portage to sync its tree and fetch packages via tor. Add the following to /etc/portage/make.conf:

FETCHCOMMAND="curl --socks5-hostname 127.0.0.1:9050 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\"" RESUMECOMMAND="curl --socks5-hostname 127.0.0.1:9050 -o \"\${DISTDIR}/\${FILE}\" \"\${URI}\""

All the extra quoting is necessary. Have a look at man curl for more customization options.

Check If Using Tor
https://check.torproject.org/