Skip to content

Instantly share code, notes, and snippets.

@kremalicious

kremalicious/tor-relay-setup.sh

Last active November 26, 2023 02:59
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save kremalicious/07a6c5001e27c0dd03a0b861be020024 to your computer and use it in GitHub Desktop.
Save kremalicious/07a6c5001e27c0dd03a0b861be020024 to your computer and use it in GitHub Desktop.
Download ZIP
Set up new server as Tor relay
Raw
tor-relay-setup.sh
##
# Ubuntu 16.04 Xenial Xerus
##
######################################
# INITIAL SERVER SETUP & HARDENING
######################################
ssh root@1.2.3.4
##
# set hostname
##
echo "my.hostname.com" > /etc/hostname
hostname -F /etc/hostname
# check that the file /etc/default/dhcpcd doesn’t exist, if it does, go in and comment out SET_HOSTNAME=‘yes’:
vi /etc/default/dhcpcd
#SET_HOSTNAME='yes’
vi /etc/hosts
IP my.hostname.com
# add DNS A record for hostname pointing to IP
##
# Update all the things
##
apt-get update && apt-get upgrade
apt-get autoremove
##
# Set timezone
##
dpkg-reconfigure tzdata
apt-get install ntp
##
# Create new user
##
adduser USERNAME
usermod -a -G sudo USERNAME
# passwordless sudo
visudo
# add to very end of file
USERNAME ALL=NOPASSWD: ALL
# copy over authorized_keys file to new user
mkdir /home/USERNAME/.ssh
cp .ssh/authorized_keys /home/USERNAME/.ssh/authorized_keys
chown -R USERNAME:USERNAME /home/USERNAME/.ssh
chmod 700 /home/USERNAME/.ssh
chmod 600 /home/USERNAME/.ssh/authorized_keys
logout
ssh USERNAME@my.hostname.com
##
# SSH key auth
##
mkdir ~/.ssh
chmod 700 ~/.ssh
vi ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
##
# SSH configuration
##
sudo vi /etc/ssh/sshd_config
# disable root login & password login
PermitRootLogin no
PasswordAuthentication no
sudo service ssh restart
##
# Generate machine SSH key
##
ssh-keygen -t rsa -b 4096 -C "USERNAME@my.hostname.com"
cat ~/.ssh/id_rsa.pub
##
# Firewall
##
sudo apt-get install ufw
# setup defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# allow specific services
sudo ufw allow ssh
sudo ufw allow ntp
sudo ufw allow 9001 # Tor ORPort
sudo ufw allow 9030 # Tor DirPort
sudo apt-get install fail2ban
sudo service fail2ban start
######################################
# TOR INSTALLATION
######################################
##
# Add new package source & keys
##
sudo sh -c 'echo "deb http://deb.torproject.org/torproject.org xenial main" >> /etc/apt/sources.list.d/torproject.list'
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
##
# Refresh package list and install Tor
##
sudo apt-get update && sudo apt-get install tor deb.torproject.org-keyring
######################################
# TOR SETUP
######################################
##
# Edit Tor config file
##
sudo vi /etc/tor/torrc
SocksPort 0 # Pure relay configuration without local socks proxy
ORPort 9001
Nickname YOURRELAYNAME
RelayBandwidthRate 500 Mbits
RelayBandwidthBurst 100 Mbits
AccountingMax 40 GBytes
AccountingStart month 1 01:00
ContactInfo 0xPGPGPGPGP Your Name <email AT domain dot com>
DirPort 9030
ExitPolicy reject *:* # no exits allowed making server a middle relay
DisableDebuggerAttachment 0 # for arm
HardwareAccel 1 # Look for OpenSSL hardware cryptographic support
##
# Restart Tor to pickup config file changes
##
sudo service tor restart
######################################
# TOR MONITORING
######################################
##
# Tor logs
##
tail -f /var/log/tor/log
##
# Monitor with ARM
##
sudo apt-get install tor-arm
sudo -u debian-tor arm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment