[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Tor on the OLPC: Working as a server!
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Tor on the OLPC: Working as a server!
- From: "Wilfred L. Guerin" <wilfredguerin@xxxxxxxxx>
- Date: Sat, 15 Mar 2008 01:01:36 +0700
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Fri, 14 Mar 2008 14:01:43 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=gIMhTk8q2OlzWdaS0ta8wuU6YpGL1GPYBP5hAFcWoFw=; b=Hmw3CqJ4ZRticNZu7U15b4ywwF510G0w8Mn0OsUMrXN3znlU8pec6ss1NhD+NBK6aOn44rFcTO5na2YaOMywgjeEPnTENLb/alI8tLZbYLJmDYxVkvW6kNnKupy0Txb8790cHghPcglO+AVVEpOQ1WP/Xgq7L9JbIKsa/5CYnZ0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DjZxsOJv2irXcPck0rPQMFAwCzbAumLXaQmtRD8Ia1//JLEhssxsdiJ17o5rEIZ/6j9XXuIh2bUBVK3xasfWxyL5NCH42v7eGetOjkwu8yTFt5KZl9ruhgtuFsA3LiE79VbDYDD0Ek/b7jia3bSTU/aoO46TImOWMOkJZF2mao8=
- In-reply-to: <47DA2710.1040807@xxxxxxxxxxxxx>
- References: <47DA2710.1040807@xxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
confirmed dec 2007 unit with Jan (*91) update with the following errors:
also need to configure for school server and tunneling, the olpcs are
excessively vulnerable and should use tor to offoad school networks
rather than risk mim isps. Also the MESH capability needs to be
optimized, the dual head radios are not used correctly with the
offloading chip and may not need to buffer content through cpu, just
headers.
su * disallowed in new terminal (null pw doesn't work) but in the
graphical term the new icon top right is "Become root"
rest of sequence is fine,
mkdir not needed, rpm succeed, not using fwall, please confirm
"StickFigure" operational
appears tor blocked by 802.11 ap .. advise
On 3/14/08, Jacob Appelbaum <jacob@xxxxxxxxxxxxx> wrote:
> I purchased an OLPC from "the buy one get one" program last year. After
> waiting nearly 5 months, FedEX brought it!
>
> I used the terminal program and ran `su -` before running the commands
> below.
> Anyone attempting this could also use ssh to login to the machine.
> Set a password for the olpc user first.
> I highly suggest firewalling the olpc, it runs many things as root!
> It's just waiting for all the world to contact it.
>
> -bash-3.2# cat /etc/redhat-release
> Fedora release 7 (Moonshine)
>
> -bash-3.2# uname -a
> Linux xo-10-DA-61.localdomain 2.6.22-20071121.7.olpc.af3dd731d18bc39 #1
> PREEMPT Wed Nov 21 00:39:06 EST 2007 i586 i586 i386 GNU/Linux
>
> -bash-3.2# cat /proc/cpuinfo
> processor : 0
> vendor_id : AuthenticAMD
> cpu family : 5
> model : 10
> model name : Geode(TM) Integrated Processor by AMD PCS
> stepping : 2
> cpu MHz : 430.936
> cache size : 128 KB
> fdiv_bug : no
> hlt_bug : no
> f00f_bug : no
> coma_bug : no
> fpu : yes
> fpu_exception : yes
> cpuid level : 1
> wp : yes
> flags : fpu de pse tsc msr cx8 sep pge cmov clflush mmx mmxext
> 3dnowext 3dnow
> bogomips : 862.97
> clflush size : 32
>
> -bash-3.2# free
> total used free shared buffers cached
> Mem: 237848 184084 53764 0 0 58268
> -/+ buffers/cache: 125816 112032
> Swap: 0 0 0
>
> I would install a few utilities on the OLPC before moving forward:
> -bash-3.2# yum install gnupg lsof
>
> You'll need to find the proper libevent rpm to make Tor install. Search
> here:
> http://rpmfind.net/linux/rpm2html/search.php?query=libevent
>
> I choose to use libevent-1.3b-1.fc7.i386.rpm
> You can read about that version of the RPM here:
> http://rpmfind.net//linux/RPM/fedora/8/i386/libevent-1.3b-1.fc7.i386.html
>
> When you've decided that it the one for you, download the libevent RPM:
> -bash-3.2# wget
> ftp://rpmfind.net/linux/fedora/releases/8/Everything/i386/os/Packages/libevent-1.3b-1.fc7.i386.rpm
>
> Then you'll want to download Tor and verify the signature of the Tor RPM:
> -bash-3.2# wget
> https://www.torproject.org/dist/rpm/tor-0.1.2.19-tor.0.fc7.i386.rpm
> -bash-3.2# wget
> https://www.torproject.org/dist/rpm/tor-0.1.2.19-tor.0.fc7.i386.rpm.asc
>
> You'll need the key for the package signature:
> -bash-3.2# gpg --keyserver subkeys.pgp.net --search-keys 0x31B0974B
> -bash-3.2# gpg --fingerprint 0x31B0974B
>
> You should see the following (If you do not see the right fingerprint,
> stop!):
> pub 1024D/31B0974B 2003-07-17
> Key fingerprint = 0295 9AA7 190A B9E9 027E 0736 3B9D 093F 31B0 974Bo
>
> Now verify the RPM:
> -bash-3.2# gpg --verify tor-0.1.2.19-tor.0.fc7.i386.rpm.asc
> gpg: Signature made Fri Jan 18 22:35:11 2008 EST using DSA key ID 31B0974B
> gpg: Good signature from "Andrew Lewman (phobos) <phobos@xxxxxxxxxx>"
>
> If the above doesn't make sense, please read this wiki page about
> signatures:
> https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures
>
> Now you'll want to install the two RPMS:
> -bash-3.2# rpm -i libevent-1.3b-1.fc7.i386.rpm
> -bash-3.2# rpm -i tor-0.1.2.19-tor.0.fc7.i386.rpm
>
> Now you'll want to make up for the fact that the RPM doesn't create two
> directories:
> -bash-3.2# mkdir /var/log/tor/
> -bash-3.2# mkdir /var/lib/tor/
>
> You'll want to make a very basic config:
> cat << 'EOF' > /etc/tor/torrc
> SocksPort 9050 # what port to open for local application connections
> SocksListenAddress 127.0.0.1 # accept connections only from localhost
> Log notice file /var/log/tor/notices.log
> Nickname olpc
> ORPort 443
> ORListenAddress 0.0.0.0:9001
> DirPort 80 # what port to advertise for directory connections
> DirListenAddress 0.0.0.0:9030
> ExitPolicy reject *:* # no exits allowed
> EOF
>
> I also suggest the firewall advice from the wiki before starting Tor:
> cat << 'EOF' > tor-redirect.sh
> #!/bin/bash -x
> IP=YOURIPGOESHERE
> iptables -t nat -A PREROUTING -p tcp -d $IP --dport 443 \
> -j DNAT --to-destination $IP:9001;
>
> iptables -t nat -A PREROUTING -p tcp -d $IP --dport 80 \
> -j DNAT --to-destination $IP:9030;
> EOF
>
> Now insert those rules into the firewall:
> -bash-3.2# chmod +x tor-redirect.sh
> -bash-3.2# ./tor-redirect.sh
>
> Now you can start Tor like so:
> -bash-3.2# /etc/init.d/tor start
>
> You should see some nice messages in /var/log/tor/tor.log that look like
> the following:
> Mar 14 00:54:53.205 [notice] Tor 0.1.2.19 opening log file.
> Mar 14 00:54:55.640 [notice] Your Tor server's identity key fingerprint
> is 'olpc B286 353F 0BE3 8D25 CB50 00BE A2D5 B006 A8E4 DEB4'
> Mar 14 00:55:24.368 [notice] We now have enough directory information to
> build circuits.
> Mar 14 00:55:30.571 [notice] Tor has successfully opened a circuit.
> Looks like client functionality is working.
> Mar 14 00:55:30.571 [notice] Now checking whether ORPort 1.2.3.4:443 and
> DirPort 1.2.3.4:80 are reachable... (this may take up to 20 minutes --
> look for log messages indicating success)
> Mar 14 00:55:39.899 [notice] Self-testing indicates your DirPort is
> reachable from the outside. Excellent.
> Mar 14 00:56:10.790 [notice] Self-testing indicates your ORPort is
> reachable from the outside. Excellent. Publishing server descriptor.
> Mar 14 00:56:25.685 [notice] Performing bandwidth self-test...done.
>
> Furthermore, lsof should show Tor:
> -bash-3.2# lsof -ni|grep tor
> tor 3224 _tor 7u IPv4 73211 TCP *:etlservicemgr (LISTEN)
> tor 3224 _tor 8u IPv4 73212 TCP *:9030 (LISTEN)
> tor 3224 _tor 9u IPv4 73213 TCP 127.0.0.1:9050 (LISTEN)
>
> I hacked up a little bash script[0] (based on Weasel's zsh dotfile) to
> test that I could reach it from the outside and it seemed to be
> registering itself with the directory authorities just fine:
> ./sd olpc
> router olpc 1.2.3.4 443 0 80
> platform Tor 0.1.2.19 on Linux i586
> published 2008-03-14 07:50:42
> opt fingerprint B286 353F 0BE3 8D25 CB50 00BE A2D5 B006 A8E4 DEB4
> uptime 28
> bandwidth 3145728 6291456 0
> onion-key
> -----BEGIN RSA PUBLIC KEY-----
> MIGJAoGBAMCMsWTN44Bhe7ZpfiHg6q5OLxVqKGdno/hG4zBHReEnNbsmgequLQBK
> 6xxlCyf5XuriTaCduhatV2TSBT2l0VlqN41KskrT6MtqCwbcSwwxjBpNNG3oHBaQ
> 94rl0Y8K4yO2oGdxEoPWOBH/rCompy7oU2CtH5kxCfP2dCiQlRv9AgMBAAE=
> -----END RSA PUBLIC KEY-----
> signing-key
> -----BEGIN RSA PUBLIC KEY-----
> MIGJAoGBAJaBLJfwJROa1X11yOnOFIjIhJIZtht5/bjL9CwGWlSrnr8ftQ3sRfFI
> WUESBv9JXPNyRghyOpEB0MKNXybc8zc0BfQBrzpNCEBHP/O/hwKcYmXupkvkJFEY
> MPuaqxbX0D9n5LT39gVHBvU467NHXsVq72VIFxDB1ARvRsZxi1aDAgMBAAE=
> -----END RSA PUBLIC KEY-----
> opt write-history 2008-03-14 07:48:57 (900 s)
> 149504,7168,8192,0,13312,0,14336,0,23552,2048,18432,4096,13312,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> opt read-history 2008-03-14 07:48:57 (900 s)
> 2629632,3072,191488,0,196608,0,206848,0,335872,2048,224256,2048,263168,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> reject *:*
> router-signature
> -----BEGIN SIGNATURE-----
> JXCuqec8OIA33pxJYTh44TwBhaxaA8HNVoxVg4F/zTW1AXzvkeXtKk2iaCe0DEmY
> W4jTovOFLYLka4hCl5ZTtSez8FnoeRq2bWYRz/NoSkDLRAqJ3Js/9aJDxNSj345f
> Nyr58l63m2eRtzlpBamgAXuZL49tRJmK9Uqfk1Yq0NY=
> -----END SIGNATURE-----
>
> Enjoy!
>
> Regards,
> Jacob Appelbaum
>
> [0] https://tor-svn.freehaven.net/svn/tor/trunk/contrib/sd
>