gszathmari/CryptoParty Tor relay workshop

## CryptoParty Tor relay workshop
CryptoParty Tor Relay Workshop
==============================

This document provides instructions for launching a virtual machine and configuring it as a Tor relay

The guide was created for the CryptoParty workshop on the 11/10/2016 in Sydney

More: https://www.meetup.com/CryptoParty-Sydney/events/234228287/


Launching a Virtual Machine
---------------------------

1. Visit https://www.vultr.com/register/?register_promo=50for60 to register a new user account

  Promo: Get +$50 for 60 days

  Alternatively (affiliate link): http://www.vultr.com/?ref=6952471-3B
  Promo: Get +$20 when you spend $10
  Disclosure: Gabor gets $30 for the referral from Vultr, it supports https://privacyforjournalists.org.au

2. Verify email address

3. Link credit card or PayPal account under 'Billing' on https://my.vultr.com/billing/

4. Apply promo code on 'Billing' at https://my.vultr.com/billing/

  Promo Codes
  +++++++++++
  NGINX20: +$20.00
  GIVEME10: +$10.00

5. Go to https://my.vultr.com/deploy/ to launch a new virtual machine (VM)

  Configure the VM as the following:

    1. Server Location: Sydney
    2. Server Type: Ubuntu 16.04 x64
    3. Server Size: 15 GB SSD for $5/mo
    4. Additional Features: Enable IPv6
    5. Startup Script: none
    6. SSH Keys: none (you can add later)
    7. Server Hostname: myrelay
       Server Label: tor

6. Click on 'Deploy Now' button at the bottom to launch the VM

7. Go to 'Servers' at https://my.vultr.com/

8. Click on your new server to open its details

9. Click on the 'eye' icon in the bottom-left corner to reveal the 'root' password

10. Take note of your SSH login details

  IP Address: <shown on the server details page>
  Username: root
  Password: <as shown at step #9>


Configuring the Operating System
--------------------------------

1. Log into your VM with SSH

  Scroll down to the bottom if you need help with SSH clients

2. Upgrade Ubuntu OS

  # apt-get update && apt-get dist-upgrade -y

  If this fails with "E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?", it means that the packages are already updated automatically in the background. Wait a few minutes and try again.

3. Configure auto-upgrade

  # apt-get install unattended-upgrades -y
  # dpkg-reconfigure --priority=low unattended-upgrades

  Choose 'Yes' when prompted and press 'Enter' for the default settings

4. Install Tor

  Add the Tor software repository to Ubuntu:

    # echo 'deb http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list
    # echo 'deb-src http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list

  Then add the gpg key used to sign the packages by running the following commands at your command prompt:

    # gpg --keyserver keys.gnupg.net --recv 886DDD89
    # gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

  You can install it with the following commands:

    # apt-get update && apt-get install tor tor-arm deb.torproject.org-keyring -y


Configure Tor as a Relay
------------------------

1. Rename the default Tor configuration file

  # mv /etc/tor/torrc /etc/tor/torrc.default

2. Open /etc/tor/torrc with your favourite text editor and add the following:

RunAsDaemon 1
ORPort 9001
DirPort 9030
Nickname blah
AccountingMax 950 GBytes
AccountingStart month 1 00:01
ContactInfo John Doe <blah@example.com>
ExitPolicy reject *:* # no exits allowed

  !!! *Important*: Change 'Nickname' and 'ContactInfo' !!!

  Note: The email address in the 'ContactInfo' is public. We suggest to obscure the email addresses to avoid spam harvesting.

3. Save the configuration file and exit the editor

4. Start the Tor service

  # systemctl stop tor
  # systemctl start tor

5. Verify if the relay is starting up properly by monitoring the log file

  # tail -f /var/log/tor/log

You should have "[notice] Bootstrapped 100%: Done" in the log file if everything is working a-okay.

6. Confirm Tor is running with the 'arm' utility

  # arm

  You can exit the utility by pressing 'q'


Check out your relay on Tor Atlas
---------------------------------

1. Get the Tor relay fingerprint with the following command

  # cat /var/lib/tor/fingerprint

  The fingerprint is the second block of long string of letters and numbers

2. Open the following URL in your browser:

  https://atlas.torproject.org/#details/<fingerprint from step #1>

It may take up to 2-4 hours for your server to appear in Atlas. You should be able to find it by searching for its nickname set by the 'Nickname' parameter in /etc/tor/torrc


SSH Clients
-----------

macOS and Linux:

  Open Terminal and enter the following:

  $ ssh -lroot <ip address>

Windows:

  Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


Homework
--------

- Give @CryptoPartySyd and @Torproject a shout out on Twitter about your new Tor relay
- Change the 'root' password
- Add your SSH public key and disable password authentication
- Set up server monitoring (NewRelic, Uptime Robot)
- Patch Ubuntu manually on a regular basis (unattended-upgrades does not apply every available update)
- Secure your Vultr account with two-factor authentication (https://www.vultr.com/docs/using-two-factor-authentication-to-login-to-vultr-control-panel)
- Add swap (https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity#EncryptStorageandSwapSpace)
- Configure firewall (iptables)
- Protect Ubuntu with two-factor authentication (https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04)
- Forward OS logs to a remote location (Loggly, Papertrail)
- Secure the Tor agent with AppArmor
- Backup Tor private keys (https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKeys#Backupyourkeys)
- Get involved and join the Tor community (https://www.torproject.org/about/contact.html.en)
- Join the CyrptoParty Sydney Telegram channel (https://telegram.me/CryptoPartySyd)
	CryptoParty Tor Relay Workshop
	==============================

	This document provides instructions for launching a virtual machine and configuring it as a Tor relay

	The guide was created for the CryptoParty workshop on the 11/10/2016 in Sydney

	More: https://www.meetup.com/CryptoParty-Sydney/events/234228287/


	Launching a Virtual Machine
	---------------------------

	1. Visit https://www.vultr.com/register/?register_promo=50for60 to register a new user account

	Promo: Get +$50 for 60 days

	Alternatively (affiliate link): http://www.vultr.com/?ref=6952471-3B
	Promo: Get +$20 when you spend $10
	Disclosure: Gabor gets $30 for the referral from Vultr, it supports https://privacyforjournalists.org.au

	2. Verify email address

	3. Link credit card or PayPal account under 'Billing' on https://my.vultr.com/billing/

	4. Apply promo code on 'Billing' at https://my.vultr.com/billing/

	Promo Codes
	+++++++++++
	NGINX20: +$20.00
	GIVEME10: +$10.00

	5. Go to https://my.vultr.com/deploy/ to launch a new virtual machine (VM)

	Configure the VM as the following:

	1. Server Location: Sydney
	2. Server Type: Ubuntu 16.04 x64
	3. Server Size: 15 GB SSD for $5/mo
	4. Additional Features: Enable IPv6
	5. Startup Script: none
	6. SSH Keys: none (you can add later)
	7. Server Hostname: myrelay
	Server Label: tor

	6. Click on 'Deploy Now' button at the bottom to launch the VM

	7. Go to 'Servers' at https://my.vultr.com/

	8. Click on your new server to open its details

	9. Click on the 'eye' icon in the bottom-left corner to reveal the 'root' password

	10. Take note of your SSH login details

	IP Address: <shown on the server details page>
	Username: root
	Password: <as shown at step #9>


	Configuring the Operating System
	--------------------------------

	1. Log into your VM with SSH

	Scroll down to the bottom if you need help with SSH clients

	2. Upgrade Ubuntu OS

	# apt-get update && apt-get dist-upgrade -y

	If this fails with "E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?", it means that the packages are already updated automatically in the background. Wait a few minutes and try again.

	3. Configure auto-upgrade

	# apt-get install unattended-upgrades -y
	# dpkg-reconfigure --priority=low unattended-upgrades

	Choose 'Yes' when prompted and press 'Enter' for the default settings

	4. Install Tor

	Add the Tor software repository to Ubuntu:

	# echo 'deb http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list
	# echo 'deb-src http://deb.torproject.org/torproject.org xenial main' >> /etc/apt/sources.list.d/tor.list

	Then add the gpg key used to sign the packages by running the following commands at your command prompt:

	# gpg --keyserver keys.gnupg.net --recv 886DDD89
	# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 \| sudo apt-key add -

	You can install it with the following commands:

	# apt-get update && apt-get install tor tor-arm deb.torproject.org-keyring -y


	Configure Tor as a Relay
	------------------------

	1. Rename the default Tor configuration file

	# mv /etc/tor/torrc /etc/tor/torrc.default

	2. Open /etc/tor/torrc with your favourite text editor and add the following:

	RunAsDaemon 1
	ORPort 9001
	DirPort 9030
	Nickname blah
	AccountingMax 950 GBytes
	AccountingStart month 1 00:01
	ContactInfo John Doe <blah@example.com>
	ExitPolicy reject : # no exits allowed

	!!! Important: Change 'Nickname' and 'ContactInfo' !!!

	Note: The email address in the 'ContactInfo' is public. We suggest to obscure the email addresses to avoid spam harvesting.

	3. Save the configuration file and exit the editor

	4. Start the Tor service

	# systemctl stop tor
	# systemctl start tor

	5. Verify if the relay is starting up properly by monitoring the log file

	# tail -f /var/log/tor/log

	You should have "[notice] Bootstrapped 100%: Done" in the log file if everything is working a-okay.

	6. Confirm Tor is running with the 'arm' utility

	# arm

	You can exit the utility by pressing 'q'


	Check out your relay on Tor Atlas
	---------------------------------

	1. Get the Tor relay fingerprint with the following command

	# cat /var/lib/tor/fingerprint

	The fingerprint is the second block of long string of letters and numbers

	2. Open the following URL in your browser:

	https://atlas.torproject.org/#details/<fingerprint from step #1>

	It may take up to 2-4 hours for your server to appear in Atlas. You should be able to find it by searching for its nickname set by the 'Nickname' parameter in /etc/tor/torrc


	SSH Clients
	-----------

	macOS and Linux:

	Open Terminal and enter the following:

	$ ssh -lroot <ip address>

	Windows:

	Download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


	Homework
	--------

	- Give @CryptoPartySyd and @Torproject a shout out on Twitter about your new Tor relay
	- Change the 'root' password
	- Add your SSH public key and disable password authentication
	- Set up server monitoring (NewRelic, Uptime Robot)
	- Patch Ubuntu manually on a regular basis (unattended-upgrades does not apply every available update)
	- Secure your Vultr account with two-factor authentication (https://www.vultr.com/docs/using-two-factor-authentication-to-login-to-vultr-control-panel)
	- Add swap (https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity#EncryptStorageandSwapSpace)
	- Configure firewall (iptables)
	- Protect Ubuntu with two-factor authentication (https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04)
	- Forward OS logs to a remote location (Loggly, Papertrail)
	- Secure the Tor agent with AppArmor
	- Backup Tor private keys (https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKeys#Backupyourkeys)
	- Get involved and join the Tor community (https://www.torproject.org/about/contact.html.en)
	- Join the CyrptoParty Sydney Telegram channel (https://telegram.me/CryptoPartySyd)