Last active
January 25, 2021 18:43
-
-
Save hellresistor/10d5334e17f7bd24d2d5eb6ed59c8b05 to your computer and use it in GitHub Desktop.
Install & Configure TOR Bridge Relay Exitnode on Debian/Ubuntu servers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # HellRezistor | |
| # Setting TOR as a Bridge, Relay, Exit Node | |
| # V2.3 | |
| # Hellgarve Resistence Crew | |
| # Donate Bitcoin: 13Gr4JiWQBnhCs6AdUNapdfHVu3tG9G6zL | |
| # Donate Bitcanna: B73RRFVtndfPRNSgSQg34yqz4e9eWyKRSv | |
| ## | |
| # Pre-Requirements: ufw OR iptables, fail2ban | |
| # | |
| # https://community.torproject.org/relay/setup/ | |
| # https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy | |
| myapt(){ | |
| apt-get install -y apt-transport-https | |
| if ! grep -q "https://deb.torproject.org/torproject.org" /etc/apt/sources.list; then | |
| echo "== Adding the official Tor repository" | |
| echo "deb https://deb.torproject.org/torproject.org $(lsb_release -cs) main" >> /etc/apt/sources.list | |
| wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import | |
| gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - | |
| apt-get update | |
| fi | |
| echo "== Installing Tor and related packages" | |
| if [[ "$OPTTOR" == "1" ]]; then | |
| apt install -y deb.torproject.org-keyring tor tor-arm tor-geoipdb | |
| elif [[ "$OPTTOR" == "2" ]]; then | |
| apt install -y tor | |
| elif [[ "$OPTTOR" == "3" ]]; then | |
| apt install -y tor | |
| fi | |
| sleep 2 | |
| systemctl stop tor | |
| } | |
| mybridge(){ | |
| echo "## Configuring TORRC file ... ##" | |
| cp --preserve /etc/tor/torrc /etc/tor/torrc.bck | |
| cat <<EOF> /etc/tor/torrc | |
| Log notice file /var/log/tor/notices.log | |
| #Log debug file /var/log/tor/debug.log | |
| DataDirectory /var/lib/tor | |
| RunAsDaemon 1 | |
| ORPort 9090 | |
| #DirPort 9030 | |
| RelayBandwidthRate 30 MBytes | |
| RelayBandwidthBurst 100 MBytes | |
| #AccountingMax 32 GB | |
| #AccountingStart day 00:00 | |
| SocksPort 0 | |
| SocksPolicy reject * | |
| ExitPolicy reject *:* | |
| ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy | |
| ServerTransportListenAddr obfs4 0.0.0.0:9095 | |
| ExtORPort auto | |
| Nickname $MYNICK | |
| ContactInfo $MYEMAIL | |
| BridgeRelay 1 | |
| EOF | |
| sed -i '/^NoNewPrivileges=yes/c\NoNewPrivileges=no' /lib/systemd/system/[email protected] | |
| sed -i '/^NoNewPrivileges=yes/c\NoNewPrivileges=no' /lib/systemd/system/[email protected] | |
| } | |
| mytrelay(){ | |
| echo "## Configuring TORRC file ... ##" | |
| cp --preserve /etc/tor/torrc /etc/tor/torrc.bck | |
| cat <<EOF> /etc/tor/torrc | |
| Log notice file /var/log/tor/notices.log | |
| #Log debug file /var/log/tor/debug.log | |
| DataDirectory /var/lib/tor | |
| RunAsDaemon 1 | |
| ORPort 443 | |
| ExitRelay 0 | |
| SocksPort 0 | |
| ControlSocket 0 | |
| Nickname $MYNICK | |
| ContactInfo $MYEMAIL | |
| EOF | |
| } | |
| mytexit(){ | |
| echo "## Configuring TORRC file ... ##" | |
| cp --preserve /etc/tor/torrc /etc/tor/torrc.bck | |
| cat <<EOF> /etc/tor/torrc | |
| Log notice file /var/log/tor/notices.log | |
| #Log debug file /var/log/tor/debug.log | |
| DataDirectory /var/lib/tor | |
| RunAsDaemon 1 | |
| ORPort 443 | |
| #ORPort $MYIPV6:9001 | |
| SocksPort 0 | |
| ControlSocket 0 | |
| Nickname $MYNICK | |
| ContactInfo $MYEMAIL | |
| DirPort 80 | |
| DirPortFrontPage /path/to/html/file | |
| ExitRelay 1 | |
| #IPv6Exit 1 | |
| ExitPolicy accept *:$SSHPORT # SSH | |
| ExitPolicy accept *:80-81 # HTTP | |
| ExitPolicy accept *:443 # HTTPS | |
| ExitPolicy accept *:853 # DNS over TLS | |
| ExitPolicy accept *:1194 # OpenVPN | |
| ExitPolicy accept *:8080 # HTTP Proxies | |
| ExitPolicy accept *:8443 # PCsync HTTPS | |
| ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE | |
| ExitPolicy accept *:10000 # Network Data Management Protocol | |
| ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol) | |
| ExitPolicy reject *:* | |
| EOF | |
| } | |
| mybck(){ | |
| echo "BackingUp Tor Fingerprints and KEYS" | |
| chmod 400 /root/BCK/FamilyADDkey.info | |
| cp -R /var/lib/tor/keys /root/BCK/keys | |
| chmod 400 -R /root/BCK/keys | |
| echo "PUT THIS IN SAFE LOCATION ... USB .. DISKETE o que quizeres..." && sleep 2 | |
| } | |
| myautoapt(){ | |
| ## updates | |
| apt-get install -y unattended-upgrades apt-listchanges | |
| cat <<EOF> /etc/apt/apt.conf.d/20auto-upgrades | |
| APT::Periodic::Update-Package-Lists "1"; | |
| APT::Periodic::AutocleanInterval "5"; | |
| APT::Periodic::Unattended-Upgrade "1"; | |
| APT::Periodic::Verbose "1"; | |
| EOF | |
| service unattended-upgrades restart | |
| } | |
| myfw(){ | |
| read -r -p "You use (U)FW or (I)PTABLES? U/I" OPTFW | |
| if [[ "$OPTFW" == "u" ]] || [[ "$OPTFW" == "U" ]]; then | |
| echo "== Configuring UFW firewall rules" | |
| if [[ "$OPTTOR" == "1" ]]; then | |
| ufw allow 9090/tcp | |
| ufw allow 9050/tcp | |
| #ufw allow 9030/tcp | |
| elif [[ "$OPTTOR" == "2" ]]; then | |
| ufw allow 443/tcp | |
| elif [[ "$OPTTOR" == "3" ]]; then | |
| ufw allow 443/tcp | |
| ufw allow 80/tcp | |
| fi | |
| elif [[ "$OPTFW" == "i" ]] || [[ "$OPTFW" == "I" ]]; then | |
| echo "== Configuring IPtables firewall rules" | |
| apt-get install -y debconf-utils | |
| echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections | |
| echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections | |
| apt-get install -y iptables iptables-persistent | |
| cp --preserve /etc/iptables/rules.v4 /etc/iptables/rules.v4.bck | |
| cat<<EOF> /etc/iptables/rules.v4 | |
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :fail2ban-ssh - | |
| ## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| ## allow incoming SSH | |
| -A INPUT -p tcp --dport $SSHPORT -j ACCEPT | |
| EOF | |
| if [[ "$OPTTOR" == "1" ]]; then | |
| echo "-A INPUT -p tcp --dport 9090 -j ACCEPT" >> /etc/iptables/rules.v4 | |
| echo "-A INPUT -p tcp --dport 9050 -j ACCEPT" >> /etc/iptables/rules.v4 | |
| #echo "-A INPUT -p tcp --dport 9030 -j ACCEPT" >> /etc/iptables/rules.v4 | |
| elif [[ "$OPTTOR" == "2" ]]; then | |
| echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v4 | |
| elif [[ "$OPTTOR" == "3" ]]; then | |
| echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v4 | |
| echo "-A INPUT -p tcp --dport 80 -j ACCEPT" >> /etc/iptables/rules.v4 | |
| fi | |
| cat<<EOF>> /etc/iptables/rules.v4 | |
| ## ratelimit ICMP echo, allow all others | |
| -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT | |
| -A INPUT -p icmp --icmp-type echo-request -j DROP | |
| -A INPUT -p icmp -j ACCEPT | |
| ## to log denied packets uncomment this line | |
| -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -m state --state INVALID -j DROP | |
| -A fail2ban-ssh -j RETURN | |
| COMMIT | |
| EOF | |
| cp --preserve /etc/iptables/rules.v6 /etc/iptables/rules.v6.bck | |
| cat<<EOF> /etc/iptables/rules.v6 | |
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| ## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| ## allow incoming SSH | |
| -A INPUT -p tcp --dport $SSHPORT -j ACCEPT | |
| EOF | |
| if [[ "$OPTTOR" == "1" ]]; then | |
| echo "-A INPUT -p tcp --dport 9090 -j ACCEPT" >> /etc/iptables/rules.v6 | |
| echo "-A INPUT -p tcp --dport 9050 -j ACCEPT" >> /etc/iptables/rules.v6 | |
| #echo "-A INPUT -p tcp --dport 9030 -j ACCEPT" >> /etc/iptables/rules.v6 | |
| elif [[ "$OPTTOR" == "2" ]]; then | |
| echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v6 | |
| elif [[ "$OPTTOR" == "3" ]]; then | |
| echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v6 | |
| echo "-A INPUT -p tcp --dport 80 -j ACCEPT" >> /etc/iptables/rules.v6 | |
| fi | |
| cat<<EOF>> /etc/iptables/rules.v6 | |
| ## ratelimit ICMP echo, allow all others | |
| -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 2/s -j ACCEPT | |
| -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP | |
| -A INPUT -p ipv6-icmp -j ACCEPT | |
| ## to log denied packets uncomment this line | |
| -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -m state --state INVALID -j DROP | |
| COMMIT | |
| EOF | |
| chmod 600 /etc/iptables/rules.v4 | |
| chmod 600 /etc/iptables/rules.v6 | |
| iptables-restore < /etc/iptables/rules.v4 | |
| ip6tables-restore < /etc/iptables/rules.v6 | |
| else | |
| echo "wrong option" && mysec | |
| fi | |
| } | |
| mymon(){ | |
| apt-get install -y monit | |
| cat<<EOF> /etc/monit/conf.d/tor-relay.conf | |
| check process tor with pidfile "/var/run/tor/tor.pid" | |
| start program = "/etc/init.d/tor start" | |
| stop program = "/etc/init.d/tor stop" | |
| check process fail2ban with pidfile "/var/run/fail2ban/fail2ban.pid" | |
| start program = "/etc/init.d/fail2ban start" | |
| stop program = "/etc/init.d/fail2ban stop" | |
| check process unbound with pidfile "/var/run/unbound.pid" | |
| start program = "/etc/init.d/unbound start" | |
| stop program = "/etc/init.d/unbound stop" | |
| EOF | |
| service monit restart | |
| echo "### Setting Unbound DNS Resolver ###" | |
| apt install -y unbound | |
| cp --preserve /etc/resolv.conf /etc/resolv.conf.bck | |
| echo "nameserver 127.0.0.1" > /etc/resolv.conf | |
| chattr +i /etc/resolv.conf | |
| ## install apparmor | |
| echo "### Setting AppArmor and Fail2Ban ###" | |
| apt-get install -y ntp apparmor apparmor-profiles apparmor-utils fail2ban | |
| sed -i.bck 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="\1 apparmor=1 security=apparmor"/' /etc/default/grub | |
| update-grub | |
| } | |
| getfamkeys(){ | |
| while [ ! -f /var/lib/tor/fingerprint ] | |
| do | |
| echo "Please wait... Generating Fingerprint" | |
| sleep 5 | |
| done | |
| read -r -p "############################## | |
| ## Have Family keys to add? ## | |
| ############################## | |
| (Y/N) | |
| " HAVEKEYS | |
| if [[ "$HAVEKEYS" == "y" ]] || [[ "$HAVEKEYS" == "Y" ]]; then | |
| MYKEY=$(grep "$MYNICK " /var/lib/tor/fingerprint | awk '{print $2}' | sed -e 's/\"//g') | |
| if grep -wq "MyFamily" /etc/tor/torrc; then | |
| read -r -p "Paste here a Key fingerprint: " MYKEY | |
| sed -i "s/^MyFamily .*/&,$MYKEY/" /etc/tor/torrc | |
| echo "$MYKEY" >> /root/BCK/FamilyADDkey.info | |
| getfamkeys | |
| else | |
| echo " Getting My Key..." && sleep 2 | |
| echo "MyFamily $MYKEY" >> /etc/tor/torrc | |
| echo "$MYKEY" >> /root/BCK/FamilyADDkey.info | |
| echo "$MYKEY <-- Added to My Family." | |
| echo "Please add other Fingerprint Key of other tor node family!" && sleep 2 | |
| getfamkeys | |
| fi | |
| elif [[ "$HAVEKEYS" == "n" ]] || [[ "$HAVEKEYS" == "N" ]]; then | |
| echo "No Keys to ADD... will Continue.." && sleep 1 | |
| echo "$MYKEY" >> /root/BCK/FamilyADDkey.info | |
| else | |
| echo "wrong option" && getfamkeys | |
| fi | |
| } | |
| mytor(){ | |
| if [[ "$OPTTOR" == "1" ]]; then | |
| mybridge | |
| elif [[ "$OPTTOR" == "2" ]]; then | |
| mytrelay | |
| elif [[ "$OPTTOR" == "3" ]]; then | |
| mytexit | |
| fi | |
| echo "Restarting Tor to LAST Configurations.." | |
| systemctl daemon-reload | |
| systemctl restart tor@default | |
| getfamkeys | |
| } | |
| rest(){ | |
| read -r -p "What you want? | |
| 1- New Tor Node (Install and Configure TOR) | |
| 2- Restore (Older Tor Settings) =====WORKIN ON THIS ======" OPTTR | |
| if [[ "$OPTTR" == "1" ]]; then | |
| getinf | |
| myapt | |
| myautoapt | |
| myfw | |
| mymon | |
| mytor | |
| elif [[ "$OPTTR" == "2" ]]; then | |
| myapt | |
| myautoapt | |
| myfw | |
| mymon | |
| else | |
| echo "wrong option" && rest | |
| fi | |
| } | |
| getinf(){ | |
| SSHPORT=$(grep "Port " /etc/ssh/sshd_config | awk '{print $2}' | sed -e 's/\"//g') | |
| OPTTOR="dummy" | |
| read -r -p "What is your ContactInfo (email/BTC):" MYEMAIL | |
| read -r -p "What is your Nickname:" MYNICK | |
| while [[ "$OPTTOR" -ne "1" && "$OPTTOR" -ne "2" && "$OPTTOR" -ne "3" ]];do | |
| read -r -p "What Type of TOR you want? | |
| 1- Bridge | |
| 2- Midle/Guard Relay | |
| 3- Exit Node # WORKING ON THIS # | |
| : " OPTTOR | |
| done | |
| } | |
| torfinish(){ | |
| echo "Installation and Configuration | |
| of Tor Completed!" && sleep 1 | |
| if [[ "$OPTTOR" == "1" ]]; then | |
| systemctl restart tor | |
| elif [[ "$OPTTOR" == "2" ]]; then | |
| systemctl restart tor@default | |
| elif [[ "$OPTTOR" == "3" ]]; then | |
| systemctl restart tor@default | |
| fi | |
| sleep 5 && clear | |
| mybck | |
| echo "BOA!! CONSEGUISTE!!! Já tens um TOR NODE A BOMBARI!!!!!" | |
| sleep 2 | |
| echo "ENJOY ;) " | |
| } | |
| [ -d /root/BCK ] || mkdir -p /root/BCK | |
| rest | |
| torfinish |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment