Re: Blocking traceroute
On Thu, Apr 18, 2013 at 10:52:00PM -0400, Stuart McMurray wrote: You don't even need socat. You could do it all with pf. Except for DNS, though, you'd have to block outbound DNS traffic to maintain anonymity. It's not possible to redirect outgoing traffic back to local IP where source host is the box itself. jirib
Blocking traceroute
I want to create a Tor hidden server, which people SSH into over Tor. Users could discover the IP server by running traceroute. To stop this I have added a simple rule to pf.conf based off helping traceroute. Otherwise they could just build or run their own binary traceroute. block on em0 inet proto udp to port 33433 33626 This appears to work, but couldn't traceroute be built to use other UDP ports? Perhaps I should block all UDP ports, it is no big loss really. Is there anything else I should take into consideration when trying to prevent a server from being discovered? The server will be behind a NAT with only a LAN address.
Re: Blocking traceroute
On Thu, 2013-04-18 at 22:35 +, fek...@tormail.org wrote: I want to create a Tor hidden server, which people SSH into over Tor. Users could discover the IP server by running traceroute. To stop this I have added a simple rule to pf.conf based off helping traceroute. Otherwise they could just build or run their own binary traceroute. Doesn't traceroute need to be setuid root to work? $ ls -l `which traceroute` -r-sr-xr-x 1 root bin 189176 Aug 1 2012 /usr/sbin/traceroute Though, honestly, traceroute is the least of your problems, read on... Is there anything else I should take into consideration when trying to prevent a server from being discovered? The server will be behind a NAT with only a LAN address. ping, ifconfig, lynx or for that matter most web browsers (that can be used to browse to sites like ipchicken.com or whatismyip.com). Unless, of course, you are careful to either only allow outbound connections via Tor (difficult but possible), or not allow outside Internet connectivity at all (easier but may well defeat the purpose of what you're trying to do). -- Shawn K. Quinn skqu...@rushpost.com
Re: Blocking traceroute
I've just been thinking about how I will block everything and still have Tor. I will have Tor on the NAT and have it accept connections from the hidden server, and users can make outgoing connections through Tor only using socat. Thinking about it, the server will simply have no Internet and the only port it will be able to access is Tor. I think that solves it. On Thu, 2013-04-18 at 22:35 +, fek...@tormail.org wrote: I want to create a Tor hidden server, which people SSH into over Tor. Users could discover the IP server by running traceroute. To stop this I have added a simple rule to pf.conf based off helping traceroute. Otherwise they could just build or run their own binary traceroute. Doesn't traceroute need to be setuid root to work? $ ls -l `which traceroute` -r-sr-xr-x 1 root bin 189176 Aug 1 2012 /usr/sbin/traceroute Though, honestly, traceroute is the least of your problems, read on... Is there anything else I should take into consideration when trying to prevent a server from being discovered? The server will be behind a NAT with only a LAN address. ping, ifconfig, lynx or for that matter most web browsers (that can be used to browse to sites like ipchicken.com or whatismyip.com). Unless, of course, you are careful to either only allow outbound connections via Tor (difficult but possible), or not allow outside Internet connectivity at all (easier but may well defeat the purpose of what you're trying to do). -- Shawn K. Quinn skqu...@rushpost.com
Re: Blocking traceroute
On Thu, Apr 18, 2013 at 10:35:53PM -, fek...@tormail.org wrote: I want to create a Tor hidden server, which people SSH into over Tor. Users could discover the IP server by running traceroute. To stop this I have added a simple rule to pf.conf based off helping traceroute. Otherwise they could just build or run their own binary traceroute. block on em0 inet proto udp to port 33433 33626 This appears to work, but couldn't traceroute be built to use other UDP ports? Perhaps I should block all UDP ports, it is no big loss really. Is there anything else I should take into consideration when trying to prevent a server from being discovered? The server will be behind a NAT with only a LAN address. Tor is a TCP-only network. UDP will never work. Cheers. -- Juan Francisco Cantero Hurtado http://juanfra.info
Re: Blocking traceroute
You don't even need socat. You could do it all with pf. Except for DNS, though, you'd have to block outbound DNS traffic to maintain anonymity. J. Stuart McMurray On Thu, Apr 18, 2013 at 10:17 PM, Juan Francisco Cantero Hurtado i...@juanfra.info wrote: On Thu, Apr 18, 2013 at 10:35:53PM -, fek...@tormail.org wrote: I want to create a Tor hidden server, which people SSH into over Tor. Users could discover the IP server by running traceroute. To stop this I have added a simple rule to pf.conf based off helping traceroute. Otherwise they could just build or run their own binary traceroute. block on em0 inet proto udp to port 33433 33626 This appears to work, but couldn't traceroute be built to use other UDP ports? Perhaps I should block all UDP ports, it is no big loss really. Is there anything else I should take into consideration when trying to prevent a server from being discovered? The server will be behind a NAT with only a LAN address. Tor is a TCP-only network. UDP will never work. Cheers. -- Juan Francisco Cantero Hurtado http://juanfra.info