6. Tor and security
6.1. Common configuration
Click the start button in the Xubuntu menu bar and start Accessories -> Terminal Emulator
In the terminal window, enter this line and enter your user password when prompted:
sudo gedit /etc/tor/torrc
In the new text editor window, scroll down to the bottom of the text, add a new line and paste these lines:
SocksPort 127.0.0.1:9100 IsolateDestAddr IsolateDestPort
6.2. Exit nodes
6.2.1 (Optional) Define allowed exit node countries
Many people don't recommend this option, because it may make you less anonymous, but I prefer to have my exit nodes in countries which are not part of the NSA's PRISM program.
If you don't set any exit nodes yourself, then Tor will randomly choose exit nodes for you. As there is a huge amount of exit nodes running in the USA and other PRISM partner countries,
you will often use exit nodes which can be sniffed by the NSA. However, as many websites are in the USA and PRISM partner countries, this is no ultimate protection against getting sniffed by the NSA.
This step may reduce anonymity significantly, because there is only a limited amount of exit nodes in those countries. If you want to block servers in certain countries from becoming your exit node, you may want to have a look at step 6.2.2. instead.
By adding the next line to the bottom of /etc/tor/torrc we make Tor only use ExitNodes in Asia, South Africa and Russia:
You can find a list of more country codes here (these are not always the same as internet top level domains)
Note that not all countries have a large amount of ExitNodes, and that it's better if Tor has more than 20 ExitNodes to choose from. Most ExitNodes in this example will most likely be slow, except the ones in China (probably run by their secret service) and Russia. South Korea and Japan also has a lot of ExitNodes, but they may be too friendly with the NSA, so they haven't been added to the list.
6.2.2. (Optional) Define blocked exit nodes
Instead of using the above option it's possible to simply avoid exit nodes in certain countries.
By adding the next line to the bottom of /etc/tor/torrc we make Tor only use ExitNodes outside of first class PRISM partner countries:
6.3. (Optional) Define entry node countries
If there are enough Tor relays in your country, you should only use EntryNodes in your country. If you are in the USA, add this line to the end of /etc/tor/torrc:
If you are not from the USA, check the above list of country codes to find out which code your country uses. These are not internet top level domains.
If you want to use specific trusted EntryNodes in your country, e.g. because you always want to have a fast entry node with large bandwidth, then you can specify those by using fingerprints.
In this case You should at least add 3 EntryNodes then, better more.
manning2.torservers.net, bolobolo1.torservers.net and manning1.torservers.net are among the fastest EntryNodes in the USA (and the world) right now, so you may want to use them, if you live in the USA.
Instead of using the above EntryNodes example, you'd have to use something like this:
A configuration like this is recommended, if you don't use bridges.
To get more fingerprints of servers, go to http://torstatus.blutmagie.de/
and click on the servernames. Copy the fingerpint line and add a $ in front of each fingerprint. Seperate individual fingerprints in the config with commas. Remove spaces in the fingerprints. You should use at least 3-10 fingerprints as entry nodes.
6.4. (Optional) Tor bridges
Instead of using public EntryNodes you may want to use Tor bridges, but this may not help against NSA sniffing. They may know the bridges from https://bridges.torproject.org/
anyway. To have a very secret bridge you'd have to use hidden bridges run by your friends. As with the EntryNodes, you should use at least 5-10 bridges.
To use bridges you'd have to add the line
to the end of your /etc/tor/torrc. To get a list of bridges, go to https://bridges.torproject.org/bridges
and copy the list of IP addresses it shows you. Paste the addresses at the end of your /etc/tor/torrc text file and add "Bridge " (note the space) before each IP address.
This will however not show you only bridges from your country, but from random countries. When you connect to a bridge in another country, then it is more likely that one or more secret services sniff your traffic. This would allow them to do time/size correlation when you browse clearnet websites.
It may be best if you skip the Tor bridges part and only use the EntryNodes part of this tutorial, unless you know how to find out in which countries those bridges are hosted. If you do use bridges, then the EntryNodes line will be ignored by Tor.
Once you're done with the Tor configuration text file, save it and close the text editor.
6.5. Privoxy and Polipo configuration
Back in the terminal type "sudo gedit /etc/privoxy/config"
At the end of the text file insert a new line and paste this line:
forward-socks5 / 127.0.0.1:9102 .
Save the text and exit the editor.
In the terminaltype "sudo gedit /etc/polipo/config" and paste the following lines at the end of the text file:
proxyAddress = "127.0.0.1"
socksParentProxy = "127.0.0.1:9101"
socksProxyType = socks5
Save the text and exit the editor, then enter "sudo reboot" in the terminal to reboot Ubuntu before proceeding to the next step.
We didn't install Vidalia, which we could easily do by using the Ubuntu Software Center. However for some reason this is not recommended by the Whonix developers.
Instead we will use "arm" to get a new Tor identity.
Click on the desktop background with your right mousebutton and select "Create Launcher"
Enter a Name, e.g. "Arm"
Check "Run in terminal"
Optionally click the "No icon" button and choose some fancy icon
In the "Command" text box, paste this line:
sudo -u debian-tor arm
Click the "Create" button
A new icon should now appear on your desktop. It will be explained later in this tutorial how to use it.
6.7. Time synching
Tor needs the correct date and time to function properly, and we need to avoid getting fingerprinted because our computer sends the local time of our virtual machine to some website or server.
Therefor we need to turn off time synching in VirtualBox and make our virtual machine fetch the correct time from the internet in a stealthy way.
First we need to get the latest version of tlsdate, a . For our installation of Xubuntu 12.04 we can't use the version from the Ubuntu servers, so we need to get the version for Debian/jessie instead.
Go to http://packages.debian.org/jessie/tlsdate
and scroll down and click the amd64 version if you are using a 64bit CPU or the i386 version if you are using a 32bit CPU.
Choose any mirror to download it to your Downloads folder.
Start the Terminal Emulator and paste the following lines:
sudo dpkg -i tlsdate*
Enter your user password when prompted. Once the installation is done, enter "sudo gedit /etc/tlsdate/tlsdated.conf"
Change the value of "should-sync-hwclock" to "no"
Change the value of "jitter" to "1800"
Change the value of "min-steady-state-interval" to "60"
Change the value of "steady-state-interval" to "3600"
Change the value of "subprocess-wait-between-tries" to "10"
Change the value of "proxy none" to "proxy socks5://127.0.0.1:9100
Save the text file and exit the editor.
6.7.2. Restart tlsdate through NetworkManager
When using virtual machine snapshots instead of booting the machine normally, tlsdate may not synchronize the time.
Open the Terminal Emulator and enter
sudo gedit /etc/NetworkManager/dispatcher.d/10tlsdate
In the text editor paste these lines:
case "$2" in
Save and exit the text editor, then enter
sudo chmod +x /etc/NetworkManager/dispatcher.d/10tlsdate
6.7.3. Disabling vboxadd-service
In the terminal enter
sudo gedit /etc/rc.local
In the text editor, before the line "exit 0" add
service vboxadd-service stop
In the terminal, type "sudo halt" to shutdown the virtual machine.
6.7.4. VirtualBox advanced configuration
Once the virtual machine is shutdown, close all VirtualBox windows on your Windows desktop.
To hide our hardware identifications from the OS and to disable time synching we have to make a few change to a XML file.
Open your USB stick folder on the Windows desktop, find and open the file "Ubuntu 2017.vbox" (or whatever you called your virtual machine) in a text editor.
Note that for this step to succeed there must be no VirtualBox snapshots present, or the values may get reverted later. Before doing this you have to delete the snapshots.
Find the section and add the following lines to it:
Find the section and change the TimeOffset value from 0 to something random between -60000 and +60000. Example:
Find the section and add
If it's not already enabled, change to "true"
Find the section and change the first section to
Change the section below to
Save the text file and exit the editor.
When this step is complete, boot the virtual machine again and proceed to the Firefox/Tor Browser installation.
You may want to load the .vbox configuration file into the text editor again to see if the values you changed are still in place. If they are not, this may lead to deanonymization or worse.
When starting the virtual machine in future, make sure that the time is actually synchronized with the UTC timezone and doesn't lag behind UTC significantly before making connections through Tor.
If your time is not synchronized with UTC you can be fingerprinted under certain circumstances ("oh look it's the Tor with the wrong clock again").
Sometimes tlsdate may not synchronize the time properly after restoring a snapshot (this may take a minute), then you should reboot the virtual machine.
For more information about the previous steps see http://zo7fksnun4b4v4jv.onion/wiki/Prot ... Protection
6.8. Hardening Ubuntu
To make Ubuntu a little more secure we install some security packages.
Open the Terminal Emulator and enter this line and enter Y to all questions
sudo apt-get install tiger harden-servers harden-clients
For more informations about these and additional hardening packages see http://www.debian.org/doc/manuals/secur ... en.en.html