Running Tor service in the jail environment

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Running Tor service in the jail environment

Hubert Hauser-2
I want to torify my FreeBSD old machine purposed to mainly darknet
activities.

Should I worry about these errors during creating jail?

|Warning: Some services already seem to be listening on all IP,
(including 127.0.1.1) This may cause some confusion, here they are: root
ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:* root lpd
48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:* Warning: Some
services already seem to be listening on IP 192.168.1.105 This may cause
some confusion, here they are: root ntpd 58008 23 udp4 192.168.1.105:123
*:* Warning: Some services already seem to be listening on all IP,
(including 192.168.1.105) This may cause some confusion, here they are:
root ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:* root
lpd 48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:|

Should jail have access to loopback interface and public Ethernet
interface assuming that all traffic from this machine will be routed
through Tor? Is it necessary to set up a virtual network interface to
communicate between jails?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running Tor service in the jail environment

Ian Lepore-3
On Tue, 2018-12-11 at 01:41 +0000, Hubert Hauser wrote:

> I want to torify my FreeBSD old machine purposed to mainly darknet
> activities.
>
> Should I worry about these errors during creating jail?
>
> >
> > Warning: Some services already seem to be listening on all IP,
> (including 127.0.1.1) This may cause some confusion, here they are:
> root
> ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:* root
> lpd
> 48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:* Warning: Some
> services already seem to be listening on IP 192.168.1.105 This may
> cause
> some confusion, here they are: root ntpd 58008 23 udp4
> 192.168.1.105:123
> *:* Warning: Some services already seem to be listening on all IP,
> (including 192.168.1.105) This may cause some confusion, here they
> are:
> root ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:*
> root
> lpd 48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:|
>
> Should jail have access to loopback interface and public Ethernet
> interface assuming that all traffic from this machine will be routed
> through Tor? Is it necessary to set up a virtual network interface to
> communicate between jails?

You should not be running ntpd inside a jail, it won't have the
priveleges to set the kernel clock anyway, only the ntpd running in a
non-jailed environment can do that.

I suspect the same is true of lpd, but I've never used that and know
nothing about it.

-- Ian
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running Tor service in the jail environment

Shawn Webb-3
In reply to this post by Hubert Hauser-2
On Tue, Dec 11, 2018 at 01:41:50AM +0000, Hubert Hauser wrote:

> I want to torify my FreeBSD old machine purposed to mainly darknet
> activities.
>
> Should I worry about these errors during creating jail?
>
> |Warning: Some services already seem to be listening on all IP,
> (including 127.0.1.1) This may cause some confusion, here they are: root
> ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:* root lpd
> 48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:* Warning: Some
> services already seem to be listening on IP 192.168.1.105 This may cause
> some confusion, here they are: root ntpd 58008 23 udp4 192.168.1.105:123
> *:* Warning: Some services already seem to be listening on all IP,
> (including 192.168.1.105) This may cause some confusion, here they are:
> root ntpd 58008 20 udp6 *:123 *:* root ntpd 58008 21 udp4 *:123 *:* root
> lpd 48726 6 tcp6 *:515 *:* root lpd 48726 7 tcp4 *:515 *:|
>
> Should jail have access to loopback interface and public Ethernet
> interface assuming that all traffic from this machine will be routed
> through Tor? Is it necessary to set up a virtual network interface to
> communicate between jails?
I wouldn't use a jail for that. Take a look at this article I wrote
about how to use Tor in the manner you're looking for:

https://github.com/lattera/articles/blob/master/infosec/tor/2017-01-14_torified_home/article.md

Thanks,

--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        [hidden email]
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Running Tor service in the jail environment

Hubert Hauser
In reply to this post by Ian Lepore-3
Hello!
> You should not be running ntpd inside a jail, it won't have the
> priveleges to set the kernel clock anyway, only the ntpd running in a
> non-jailed environment can do that.

How can I prevent running ntpd and lpd in the jail environment?

> I wouldn't use a jail for that. Take a look at this article I wrote
> about how to use Tor in the manner you're looking for:
>
> https://github.com/lattera/articles/blob/master/infosec/tor/2017-01-14_torified_home/article.md

It sounds like a good idea but weren't a better solution use an
open-hardware device acting as Tor router with installed OpenBSD or
HardenedBSD? Why wouldn't you use for it jail environment? I want to
place Tor in the jail environment because I want to prevent system being
compromised in case compromising Tor service.

Thank you in advance,
Hubert.


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running Tor service in the jail environment

Ian Lepore-3
On Tue, 2018-12-11 at 19:58 +0100, Hubert Hauser wrote:
> Hello!
> >
> > You should not be running ntpd inside a jail, it won't have the
> > priveleges to set the kernel clock anyway, only the ntpd running in
> > a
> > non-jailed environment can do that.
> How can I prevent running ntpd and lpd in the jail environment?
>

Set the appropriate variables (ntpd_enable=NO, etc) in the /etc/rc.conf
for the jail.

-- Ian

> >
> > I wouldn't use a jail for that. Take a look at this article I wrote
> > about how to use Tor in the manner you're looking for:
> >
> > https://github.com/lattera/articles/blob/master/infosec/tor/2017-01
> > -14_torified_home/article.md
> It sounds like a good idea but weren't a better solution use an
> open-hardware device acting as Tor router with installed OpenBSD or
> HardenedBSD? Why wouldn't you use for it jail environment? I want to
> place Tor in the jail environment because I want to prevent system
> being
> compromised in case compromising Tor service.
>
> Thank you in advance,
> Hubert.
>
>
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd
> .org"
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running Tor service in the jail environment

Hubert Hauser
Hi there!

> It sounds like a good idea but weren't a better solution use an
> open-hardware device acting as Tor router with installed OpenBSD or
> HardenedBSD? Why wouldn't you use for it jail environment? I want to
> place Tor in the jail environment because I want to prevent system
> being
> compromised in case compromising Tor service.
Ian, thank you for reply about disabling ntpd in jails but you haven't
replied for above questions.

Cheers,
Hubert.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running Tor service in the jail environment

Ian Lepore-3
On Tue, 2018-12-11 at 20:13 +0100, Hubert Hauser wrote:

> Hi there!
>
> >
> > It sounds like a good idea but weren't a better solution use an
> > open-hardware device acting as Tor router with installed OpenBSD or
> > HardenedBSD? Why wouldn't you use for it jail environment? I want
> > to
> > place Tor in the jail environment because I want to prevent system
> > being
> > compromised in case compromising Tor service.
> Ian, thank you for reply about disabling ntpd in jails but you
> haven't
> replied for above questions.
>
> Cheers,
> Hubert.
>

I know nothing about tor, or hardendedbsd, or openbsd.  I answered the
part I do know about.

-- Ian
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running Tor service in the jail environment

Oliver Fromme-6
In reply to this post by Hubert Hauser
Hubert Hauser wrote:
 > It sounds like a good idea but weren't a better solution use an
 > open-hardware device acting as Tor router with installed OpenBSD
 > or HardenedBSD?

Personally I trust FreeBSD more than the alternatives.
But that's just me.  ;-)

 > Why wouldn't you use for it jail environment? I want to place
 > Tor in the jail environment because I want to prevent system
 > being compromised in case compromising Tor service.

I think it would be better to put the Tor service inside
a virtual machine, for example VirtualBox or FreeBSD's own
technology called bhyve.  It has two advantages:  First,
the separation is somewhat "stricter" and more extensive
than jails (for example, jails still share the same kernel,
but VMs do not).  Second, it is easier to create a setup
suitable for networking with Tor.  It might be possible
with a jail, too, but I think that would be more difficult
and error-prone.  And you *do* want to avoid errors when
you're going to set up a Tor service.

Disclaimer:  I've never set up a Tor service myself.

Best regards
   Olli


--
Oliver Fromme, München   --   FreeBSD + DragonFly BSD

``We are all but compressed light'' - Albert Einstein
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"