Slicehost: Setting up a Tor relay on Fedora to help keep Iran connected #IranElection

As many of you know, most of the information from within Iran is coming from on-the-ground new-media and social networking sites such as Twitter, YouTube, and Facebook. This is happening despite crackdowns on communications networks by the Iranian government. The way this information is able to escape the firewalls of Iran is via proxies which relay and “hide” the destination of the communications so that it becomes difficult to block. This allows those on the ground in Iran to communicate with the world instantly and effectively, without fear of government crackdown. But it is a constant arms race. As soon as a relay becomes known by the Iranian government it gets shut down. The only way to keep the lines of communication open are to strengthen the distributed Tor network by adding more relays and bridges, making it more difficult for the Iranian government to block them all.

There have already been great write-ups on how you can contribute to the distributed proxy network Tor:
http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/
http://smokingfish.blogspot.com/2009/06/brief-introduction-to-tor-and-why-its.html

Please read over those documents for an overview. I wanted to provide detailed instructions on how to get a Tor network set up quickly, easily, and cheaply for those of you who would like to contribute. You can provide invaluable assistance to the people of Iran for as little as 15 minutes of your time and $20/month.

First off, this document assumes you have some system administration knowledge with Linux (Fedora) and are comfortable installing and configuring packages from the command line. If that’s you, you can have a Tor relay up and running in about 15 minutes.

Key:
Shell commands are in purple
Config file settings are in blue

  1. Register at Slicehost

    Slicehost is a VPS provider that allows you to quickly build/deploy webservers very cheaply. Sign up here and purchase the cheapest $20 slice to get started. Pick Fedora 10 as your Linux Distribution. Do not pick Fedora 11, as it is incompatible with the current version of Tor. Once you are registered, Slicehost will email you your IP and root password. It can take a few minutes to build your new slice, so be patient.

  2. Slice Security

    Log in to your new slice. Please note that this document covers the bare minimum of commands to get Tor up and running. You should follow due diligence when it comes to securing your new slice, something which is outside the scope of this document. Common practice security configurations are recommended. Security is your own responsibility, and I will not be held liable for any security issues with your slice. There are a few bare-minimum security things you should do to your slice:

    Change the root password:
        passwd root

    Create your own account & set password:
        adduser yourusername
        passwd yourusername

    Disable root login to ssh
        vim /etc/ssh/sshd_config
        Change to this: PermitRootLogin no
        service sshd restart

    These steps are the BARE MINIMUM you should do to secure your slice.

  3. Update Your System

    yum -y update

  4. Install Prerequisites

    yum install wget vim-enhanced gcc make libevent libevent-devel openssl openssl-devel zlib zlib-devel rpm-build

  5. Download Tor & Signature


    wget https://www.torproject.org/dist/rpm/tor-0.2.1.16.rc-tor.0.fc10.src.rpm
    wget https://www.torproject.org/dist/rpm/tor-0.2.1.16.rc-tor.0.fc10.src.rpm.asc

  6. Verify Packages

    Follow directions at http://www.torproject.org/verifying-signatures.html.en to verify that you have an authentic RPM and not a fake.

  7. Build & Install Tor


    rpmbuild --rebuild tor-0.2.1.16.rc-tor.0.fc10.src.rpm
    rpm -i rpmbuild/RPMS/x86_64/tor-0.2.1.16.rc-tor.0.fc10.x86_64.rpm

  8. Configure Tor

    vim /etc/tor/torrc

    Change the following settings, substituting your own values for Nickname and Address:

    DataDirectory /var/lib/tor
    ORPort 9001
    DirPort 9030
    Nickname YOUR_NICKNAME
    Address YOUR.IP.ADDRESS.XX

    Save & Exit

  9. Set Bandwidth Limits for Tor

    These settings are largely dependent on which slice you have purchased. The ones you see below are for a 20GB slice, and they allow 2GB of transfer per day, so you should be well within the 20GB slice limit of 100GB/month. If you have purchased a larger slice, these settings can be increased accordingly. Be careful here, incorrect settings can push you over your monthly bandwidth limit very quickly! I did over 12GB of transfer in a little over 8 hours before limiting bandwidth with these settings.

    vim /etc/tor/torrc

    RelayBandwidthRate 64 KBytes
    RelayBandwidthBurst 128 KBytes
    AccountingStart day 12:00
    AccountingMax 2 GB

    Save & Exit. The AccountingStart and AccountingMax settings will limit 2GB max transfer per day, resetting at 12:00 every day. The RelayBandwidthRate and RelayBandwidthBurst settings throttle the bandwidth so that you don’t reach AccountingMax after only a few hours. Normally AccountingStart and AccountingMax would be enough to stay within your bandwidth limits, but I want my relay to be available all day rather than reaching AccountingMax and shutting down after a few hours.

  10. Configure Your Firewall

    iptables-save > /etc/sysconfig/iptables.default
    iptables-save > /etc/sysconfig/iptables.test
    vim /etc/sysconfig/iptables.test

    Insert the following settings:

    # tor ORPort & DirPort
    -A INPUT -p tcp –dport 9001 -j ACCEPT
    -A INPUT -p tcp –dport 9030 -j ACCEPT


    # tor Allow all outbound traffic
    -A OUTPUT -j ACCEPT

    Save & Exit.

    iptables-restore < /etc/sysconfig/iptables.test iptables -L
    (verify the rules are correct)
    iptables-save > /etc/sysconfig/iptables

  11. Increase the number of open file descriptors

    vim /etc/security/limits.conf

    Add this line:

    _tor hard nofile 32768

    Save & Exit

  12. Start up the Tor Service

    service tor start

  13. If everything starts correctly, you should see output like this:
    Starting tor: Jun 21 15:44:04.219 [notice] Tor v0.2.1.15-rc. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
    Jun 21 15:44:04.219 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
    Jun 21 15:44:04.223 [notice] Initialized libevent version 1.4.5-stable using method epoll. Good.
    Jun 21 15:44:04.223 [notice] Opening OR listener on 0.0.0.0:9001
    Jun 21 15:44:04.223 [notice] Opening Directory listener on 0.0.0.0:9030
    Jun 21 15:44:04.223 [notice] Opening Socks listener on 127.0.0.1:9050
    /usr/bin/torctl start: tor started [ OK ]

    Also, you should view the tor.log and verify that you see the following (after 20-minutes):

    cat /var/log/tor/tor.log

    Jun 21 15:44:13.835 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
    Jun 21 15:44:13.835 [notice] Bootstrapped 100%: Done.
    Jun 21 15:44:13.835 [notice] Now checking whether ORPort XXX.XXX.XXX.XXX:9001 and DirPort XXX.XXX.XXX.XXX:9030 are reachable.. (this may take up to 20 minutes -- look for log messages indicating success)
    Jun 21 15:44:18.492 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
    Jun 21 15:44:18.492 [notice] Not advertising DirPort (Reason: AccountingMax enabled)
    Jun 21 15:44:26.804 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
    Jun 21 15:44:43.813 [notice] Performing bandwidth self-test.. done.

    If you see some errors or it doesn’t start correctly, post in the comments and I’ll see if I can help you out. Here are some references to help you get it going:
    http://www.torproject.org/docs/tor-doc-unix.html.en#installing
    http://www.torproject.org/docs/tor-doc-relay.html.en

That’s it! You now have a fully functioning Tor Relay and are helping the Iranian people get news and information out to the rest of the world. The cool thing about Slicehost is that you can easily upgrade your Slice with the click of a button to allow more bandwidth, RAM, and other resources. They also have a Clone option so that once you have your initial Tor slice running, you can clone it multiple times so that you can have multiple Tor servers at a time.

More good reads on Tor and its effect in Iran:
http://blog.torproject.org/blog/measuring-tor-and-iran
http://p10.hostingprod.com/@spyblog.org.uk/blog/2009/06/tor-relays-and-exit-nodes-for-iran-and-for-the-rest-of-us.html

Update 1 – Preventing Abuse by BitTorrent Users

A couple of days after setting up my Tor slice, I received a Digital Millennium Copyright Act (“DMCA”) notice that my relay was hosting copyrighted material and that I would be required to remove it or face having my Slice shut down. Turns out that there are people out there using BitTorrent over the Tor network to transfer copyrighted material. Philosophical debates about BitTorrent and copyright law aside, the whole reason why I am running Tor is to help those in Iran stay connected — not to assist in the distribution of copyrighted material. So, after a few minutes of research, I found out we can prevent Tor being used by BitTorrent by adjusting your ExitPolicy:

vim /etc/tor/torrc

Add the following:
ExitPolicy reject *:1214
ExitPolicy reject *:4661-4666
ExitPolicy reject *:6346-6429
ExitPolicy reject *:6881-6999

Save & Exit
Restart Tor: service tor restart

You should also probably follow the advice at http://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment

References:
http://www.torproject.org/faq.html.en#ExitPolicies – Exit Policies in Tor
https://www.torproject.org/eff/tor-dmca-response.html – DCMA Response Template
http://www.orient-lodge.com/node/3622?dsq=11687593 – A Slicehost user who also received a DCMA notice
http://www.chrisbrunner.com/?p=119 – Why You Shouldn’t Run BitTorrent Over Tor

Update 2 – Slicehost Responds

After making the adjustments above, I notified Slicehost of my changes and they have responded:
Thank you for your response. We will go ahead and consider this matter resolved. Thank you for your attention to this matter.
Gotta give them credit for understanding that we’re trying to help people in Iran — not to pirate movies. Thanks Slicehost!

Update 3 – Upgraded to 0.2.1.16 & Config Adjustments

I received some configuration recommendations from Andrew Lewman of The Tor Project, and have updated the steps above accordingly.

Cacti on Fedora: Blank Graphs

After getting Cacti up and running successfully on Fedora Core 5, I had a problem with the graphing. Caci was receiving the SNMP data correctly (the graph legends would show the proper data values), but the actual neato colors and lines were absent in the graph image. After some research I found a fix: Everything in the rra file must be owned by the cacti user, or the user running the poller crontab. Pretty simple:

chown -R cacti.cacti /usr/share/cacti/rra

Once the rra files were owned by the cacti user, the graphs started to appear in all their colored and lined splendor!

PHP & imagettftext with Webcore TrueType fonts.

If you’re trying to write some text using PHP/GD & the imagettftext() function, you will of course need some TrueType fonts to work with. I’ve found a great set of fonts available for free: Webcore. Webcore contains all the fonts web designers constantly use, things like Arial, Tahoma, Verdana, Georgia, etc..

To install, simply download to your server and install the RPM (Fedora):
shell> wget http://avi.alkalay.net/software/webcore-fonts/webcore-fonts-3.0-1.noarch.rpm
shell> rpm -i webcore-fonts-3.0-1.noarch.rpm

These fonts will now be available to you in /usr/share/fonts/webcore/.

Make sure you specify the full path when calling imagettftext(), eg:
<?php
 
// Set the content-type
header("Content-type: image/png");
 
// Replace path by your own font path
$font = '/usr/share/fonts/webcore/arial.ttf';
 
// Create the image
$im = imagecreatetruecolor(400, 30);
 
// Create some colors
$white = imagecolorallocate($im, 255, 255, 255);
$black = imagecolorallocate($im, 0, 0, 0);
imagefilledrectangle($im, 0, 0, 399, 29, $white);
 
// The text to draw
$text = 'Hello world!';
 
// Add some text
imagettftext($im, 20, 0, 10, 20, $black, $font, $text);
 
// Using imagepng() results in clearer text compared with imagejpeg()
imagepng($im);
imagedestroy($im);
?>

Your mileage may vary if you are using a different distribution, but the docs state that this RPM should work on other distros.

Yum: Cannot find a valid baseurl for repo: core

I went to update my Fedora Core 5 machine today, and received the following error:
[root ~] yum check-update
Loading "installonlyn" plugin
Setting up repositories
core [1/3]
Cannot find a valid baseurl for repo: core
Error: Cannot find a valid baseurl for repo: core

I tried running yum clean all but it didn’t help. After looking around I found that all of my repo files in /etc/yum.repos.d/ had their baseurl values commented out. Don’t ask me how that happened, I have no idea. Simply un-commenting all the baseurl values in all my repo files fixed the problem, and yum is once again running as expected. So if you run into this problem, make sure everything is set up right in /etc/yum.repos.d/*.repo

Installing PDFlib Lite as a PHP module on Fedora Core 4

The instructions for doing so (here) seemed straightforward enough, but I ran into a few problems. So here’s how I got PDFLib working with my PHP install on Fedora Core 4.

First we need to build PDFlib Lite from Source. Download it from here. Unpack it, then:
./configure
make
make install

Easy enough. Now:
yum install automake
yum install php-devel
pecl install pdflib

(Note: php-devel is required because we need phpize which is used by the pecl command.)

The PECL install will ask you a question: “Path to PDFlib installation?” This is where I ran into problems. You must put /usr/local/ and NOT /usr/local/include because the script is hardcoded to look inside the include directory automatically. Once PECL finds pdflib.h it will continue and finish compiling our shared object, pdf.so. The script will install it for us in /usr/lib/php/modules/
Now we just have to tell PHP to load the SO. Open up php.ini and add the following line:
extension=pdf.so
Save & exit, and restart your Apache with apachectl graceful. Now browse to a file containing the phpinfo() function and check to see if PDFlib is now active. If you see it, you’re good to go!

NOTE: I ran into a problem with RPM GPG Keys at the automake install step. I was getting the following error:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID db42a60e
public key not available for autoconf-2.59-5.noarch.rpm
Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
The GPG key at file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora (0x4F2A6FD2)
is already installed but is not the correct key for this package.
Check that this is the correct key for the "Fedora Core 4 - i386 - Base" repository.

To get around this we need to import all the keys by run the following command:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
I found this solution in this thread.

Red Hat Fedora Linux: Add an additional IP to your network card.

Adding an additional IP or IPs to your network card in Linux is easy. Here’s how I did it in my Fedora Core 4 installation:
cd /etc/sysconfig/network-scripts/
cp ifcfg-eth0 ifcfg-eth0:0

Now you will need to open your newly created ifcfg-eth0:0 file in your favorite editor and modify it to fit your needs. The two lines you MUST change are the following, the rest are optional:
DEVICE=eth0:0
IPADDR=192.x.x.x

Of course you will want to fill in the IPADDR value to fit your needs.

Now, to make the changes take effect, you will need to bring your new IP up by issuing the following command:
./ifup eth0:0
Or if you want you can just restart the entire network:
/etc/rc.d/init.d/network reload
There you go! Run ifconfig and you should see your new IP assigned to eth0:0. It should look something like this:
eth0:0 Link encap:Ethernet HWaddr 00:D0:B7:B7:XX:XX
inet addr:192.168.1.XX Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

You can add even more IPs by repeating this process and incrementing the value of eth0:0, for example you can add eth0:1, eth0:2, etc.