wiki:doc/SetupTorRelaywithKVM

Setting up a Secure Tor Relay with KVM virtualization

This document is designed to guide you through the process of setting up a secure Tor Relay using KVM virtualization.

This setup in particular requires to have another machine that is in the physical vicinities of the Tor Relay, but it can be adapted even to a one machine setup.

This is how the setup will look like once we have finished:


                               +-----------+
                               |Host       |
                               |           |
                     +-------->|ssh    +   |
                     |         |       |   |
                     |         |  +----v--+|
 +-----+             |         |  |   ssh ||
 |     |             |   +-------->tor    ||
 | Box |             |   |DNAT |  |       ||
 |  A  +-------------+   |     |  |Guest  ||
 |     | cross cable     |     |  +-------+|
 |     |                 |     +-----------+
 +-----+                 +      BoxB

Ubuntu Linux

This guide is based on Ubuntu 12.04 LTS. It should work similarly for other distributions and/or versions.

(this guide is based on http://www.howtoforge.com/virtualization-with-kvm-on-ubuntu-12.04-lts)

Install KVM and vmbuilder

You must first make sure that your CPU supports virtualization:

Install the required packages:

apt-get install ubuntu-virt-server python-vm-builder kvm-ipxe

Afterwards we must add the user as which we're currently logged in (root) to the group libvirtd:

adduser `id -un` libvirtd
adduser `id -un` kvm

You need to log out and log back in for the new group memberships to take effect.

To check if KVM has successfully been installed, run

virsh -c qemu:///system list

you should see something like this:

root@altro:~# virsh -c qemu:///system list
 Id Name                 State
----------------------------------

root@altro:~# 

To make sure that your system supports virtualization and that it's enabled from BIOS run

kvm-ok

You may be required to enabled it in the BIOS and/or do

modprobe kvm_intel

(Optional) If you want to use a bridged interface

Install bridge utils: apt-get install bridge-utils

Then configure your network devices:

vi /etc/network/interfaces

auto lo
auto eth0
auto eth1

iface lo inet loopback

iface eth0 inet static
        address 109.168.xx.xx
        netmask 255.255.255.kk
        network 109.168.xx.yy
        gateway 109.168..xx.zz

to something like this

auto lo
auto eth0
auto eth1

iface lo inet loopback

iface eth0 inet manual

auto br0
iface br0 inet static
        address 109.168.xx.xx
        netmask 255.255.255.kk
        network 109.168.xx.yy
        gateway 109.168..xx.zz
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

Restart the network services:

/etc/init.d/networking restart

Creating the VM

Create the directory to store the VM:

mkdir /var/lib/libvirt/images/torda

mkdir -p /var/lib/libvirt/images/torda/mytemplates/libvirt

cp /etc/vmbuilder/libvirt/* /var/lib/libvirt/images/torda/mytemplates/libvirt/

Choose how to partition the drive:

vi /var/lib/libvirt/images/torda/vmbuilder.partition

We will choose a root of 8GB and a swap of 4GB:

root 8000
swap 4000

vi /var/lib/libvirt/images/torda/boot.sh

# This script will run the first time the virtual machine boots
# It is ran as root.

# Expire the user account
passwd -e administrator

# Install openssh-server
apt-get update
apt-get install -q openssh-server

cd /var/lib/libvirt/images/torda/

If you have configured a bridge do something like this:

vmbuilder kvm ubuntu --suite=precise --flavour=virtual --arch=amd64 --mirror=http://de.archive.ubuntu.com/ubuntu -o --libvirt=qemu:///system --ip=109.168.xx.xx --gw=109.168.xx.yy --part=vmbuilder.partition --templates=mytemplates --user=administrator --name=Administrator --pass=CHANGEMETORANDOMNESS --addpkg=vim-nox --addpkg=unattended-upgrades --addpkg=acpid --firstboot=/var/lib/libvirt/images/torda/boot.sh --mem=256 --hostname=vm1 --bridge=br0

Otherwise:

vmbuilder kvm ubuntu --suite=precise --flavour=virtual --arch=amd64 --mirror=http://de.archive.ubuntu.com/ubuntu -o --libvirt=qemu:///system --part=vmbuilder.partition --templates=mytemplates --user=administrator --name=Administrator --pass=CHANGEMETORANDOMNESS --addpkg=vim-nox --addpkg=unattended-upgrades --addpkg=acpid --firstboot=/var/lib/libvirt/images/torda/boot.sh --mem=256 --hostname=vm1

Be sure to change the parameters of --ip and --gw and --pass

Start the VM

You can now start the virtual machine with:

virsh

Then from the virsh prompt do:

start vm1

It should have ssh listening on port 22 and you should be able to login to it with the above configured password.

Optional

To enable console access to the virtual machine edit to contain:

 <serial type='pty'>
   <target port='0'/>
 </serial>
 <console type='pty'>
   <target type='serial' port='0'/>
 </console>

The

apt-get install libguestfs-tools

To enable console on the guest machine edit /boot/grub/default with

virt-edit -d vm1 /boot/grub/default

http://wiki.libvirt.org/page/Error_%22internal_error_cannot_find_character_device%22_when_trying_to_connect_a_domain's_console

SSH trix

We want the Tor Relay to not be accessible through SSH from the outside world, but we have another box that is phisically connected to the server. This allows us to make SSH listen on the local address and we will be connecting to SSH of the relay through it.

[OTHER_BOX] <-- Cross cable ---> [Tor Relay]

If we want to use keyfiles that are located on our machine we need to make ssh bounce through the OTHER_BOX. This can be achieved with the ssh ProxyCommand option like so:

host <tor_relay_internal_interface_ip>
    user root
    ProxyCommand  ssh <OTHER_BOX> nc %h %p 2> /dev/null

Networking

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport <OR_PORT> -j DNAT --to 192.168.122.2:<OR_PORT>
iptables -A INPUT -p tcp -m state --state NEW --dport <OR_PORT> -i eth0 -j ACCEPT
iptables-save > /etc/firewall.conf

vi /etc/network/if-up.d/iptables

#!/bin/sh
iptables-restore < /etc/firewall.conf
chmod +x /etc/network/if-up.d/iptables

Hardening

Install grsec kernel patches

The ubuntu packages for the grsec kernel are very old, so it's best to compile it ourselves:

apt-get install kernel-package fakeroot build-essential ncurses-dev gcc-4.6-plugin-dev

For 3.2 series

wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.2.23.tar.bz2
wget http://grsecurity.net/stable/grsecurity-2.9.1-3.2.23-201207171624.patch
tar xvjpf linux-3.2.23.tar.bz2
cd linux-3.2.23

For 2.6 series:

wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.59.tar.bz2
wget http://grsecurity.net/stable/grsecurity-2.9.1-2.6.32.59-201207161806.patch
tar xvjpf linux-2.6.32.59.tar.bz2
cd linux-2.6.32.59.tar.bz2
cp /boot/config-`uname -r` .config
make oldconfig

Hit enter when you don't know what to do.

cp ../grsecurity-*.patch .
patch < grsecurity-*.patch -p1
make menuconfig

Select Security Options -> Grsecurity -> Grsecurity

Select Configuration Method -> Automatic

Set:

Usage Type: Server

Virtualization type: Guest or Host

Virtualization Software: KVM

Required Priorites: Security

vi /etc/apt/sources.list

deb http://ubuntu.cr0.org/repo/ kernel-security/
echo "-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)

mQENBEZ1HOkBCAC0Ychd76Ab4OQs8B2HmfIgrqSlYHpcjt6WqfYZ8lvhYRRCtQxj
NqbBfij1nIRv+fCGdx/fgAayOEqT6yuRSmjz/s3MkXz1bpI6i1ij2Dc7feiVOVZy
GMoKUxxZuUjWTjKrNj7Yc65pfdIQQoQjK5Q6LEGPItpymLkk/4TRnTIqq6YQvOaN
6l0UirnNtNsWSim0sPAXp/G9e7OpEB7714E0H+CW3zjV79GE0L5Ct2OsoPc8ak7B
z9o42OWgfZK4h2X3q0utJXKOa8wXT7vZVIJz8QAjbO9fRVYI9qgoSrTbcOcsgydi
XqknO/wLNGeJXrmhvsIY0Exc7dsRvIR2ToFvABEBAAG0T2tlcm5lbC1zZWN1cml0
eSAoU2VjdXJpdHkgcGFja2FnZXMgZm9yIERlYmlhbi9VYnVudHUpIDxrZXJuZWwt
c2VjdXJpdHlAY3IwLm9yZz6JATYEEwECACAFAkZ1HOkCGwMGCwkIBwMCBBUCCAME
FgIDAQIeAQIXgAAKCRAtgdtI0X1CbUPxCACr6h3ZZRZprz16DxLKTvXGpkTqiCWv
PkyDhbh/exuqCO2z5OygyjhPNQi5XIiAcPR06IDIdgqWBDIEw4uvRtZPg9D63fLY
su8Dd6bmQYMYX0OkaoMr1+SvNiO27+YVZk4yQnExetNLwguO2yiIFKNCWdAnsem4
ri4MbLb3WAjB2loyuyKRKVVyxFCxGFro+cy/U9RWtWWmZAiCVJfg6/JBCHPHrFyk
UK4CeLB9Dfz8j9J6NurR7mNGC2aI0kzOO5vOGttjsb9d+1/2K4pmgT8Z6G4Gz8b5
nR67NZxMoFpN1iCyH1eCAVZMmwuEXCCEVVPhgAvrDzxPf9H789cGcVx1iEYEEBEC
AAYFAkZ1HQ0ACgkQ53ip8BS5x9aWbACghfkEViUgu8iLExk123HTpgvLT9gAni60
eQlYLMSPpm4r2eVwB2vFiIJLiEYEEBECAAYFAkZ1HRwACgkQRd/uhitJT4jfVwCg
tt76yNV/na3cK0+9yhUXGmkcqmcAn2Inme4Mfu+qMNRwocZRCbcdKSI0iEYEEBEC
AAYFAkZ1HS8ACgkQjS1dZaFuIUD73wCgucAvr8uBWwBk2Af4zV+Qs4pCH9cAoMJf
gxRLoJMKOljIzxE0VluY5VuY
=7x70
-----END PGP PUBLIC KEY BLOCK-----" > kernel-security.asc
apt-key add kernel-security.asc
apt-get update
apt-get install linux-image-grsec

Detection

apt-get install rkhunter
rkhunter --update

Email for reporting:

apt-get install ssmtp bsd-mailx 

vi /etc/ssmtp/ssmtp.conf

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=XXXX@YYYY

# The place where the mail goes. The actual machine name is required no 
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=XXXXXX

# Where will the mail seem to come from?
#rewriteDomain=

# The full hostname
hostname=XXXXX

# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
#FromLineOverride=YES
vi /etc/default/rkhunter

Create encrypted storage for the guest

apt-get install cryptsetup-luks lvm2

# Encrypted KVM

http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaat%2Fliaatsecencryptexp.htm

http://blog.bodhizazen.net/linux/kvm-how-to-use-encrypted-images/

TODO

Links ahead:

# Performance

Adjust CPU core numbers available to KVM

Fine tune TCP stacks and Kernel following Torservers.net tuning tips

Adjust phisical CPU frequency

# Hardening

http://www.andrewault.net/2010/05/17/securing-an-ubuntu-server/

https://help.ubuntu.com/community/StricterDefaults

https://wiki.ubuntu.com/AppArmor/

https://lists.torproject.org/pipermail/tor-talk/2012-February/023148.html (XXX: reply to this person on the ML)

# Monitoring/IDS

Snmp Monitoring ( TBDocumented)

Mrtg for Stats Graphics & Alerting (TBDocumented)

Monit for application keep-alive (TODO)

Maybe? http://oss.oetiker.ch/rrdtool/

http://sourceforge.net/projects/tripwire/

Resources

Virtualization related:

Monitoring:

Security related:

Last modified 5 years ago Last modified on Jul 25, 2012, 6:14:55 PM