From d4a9838cd8136ff0547b4e1ec2f107b0295f32a0 Mon Sep 17 00:00:00 2001 From: boldsuck Date: Fri, 2 Aug 2024 14:27:10 +0200 Subject: [PATCH] update documentation and config for external tor w/ pow defense Co-authored-by: shortwavesurfer2009 <116814522+shortwavesurfer2009@users.noreply.github.com> Co-authored-by: fa2a5qj3 <174058787+fa2a5qj3@users.noreply.github.com> Co-authored-by: preland --- docs/deployment-guide.md | 43 +++++ scripts/deployment/haveno-seednode.service | 2 + scripts/deployment/haveno-seednode2.service | 6 +- seednode/haveno-seednode.service | 4 +- seednode/torrc | 165 ++++++++++++++++++-- 5 files changed, 203 insertions(+), 17 deletions(-) diff --git a/docs/deployment-guide.md b/docs/deployment-guide.md index 97aaf046de..a09ea8050b 100644 --- a/docs/deployment-guide.md +++ b/docs/deployment-guide.md @@ -79,6 +79,11 @@ Customize and deploy haveno-pricenode.env and haveno-pricenode.service to run as ## Add seed nodes +### Seed nodes without Proof of Work (PoW) + +> [!note] +> Using PoW is suggested. See next section for PoW setup. + For each seed node: 1. [Build the Haveno repository](#fork-and-build-haveno). @@ -90,6 +95,44 @@ For each seed node: 7. Add the `.onion` address to `core/src/main/resources/xmr_.seednodes` along with the port specified in the haveno-seednode.service file(s) `(ex: example.onion:1002)`. Be careful to record full addresses correctly. 8. Update all seed nodes, arbitrators, and user applications for the change to take effect. +### Seed nodes with Proof of Work (PoW) + +> [!note] +> These instructions were written for Ubuntu with an Intel/AMD 64-bit CPU so changes may be needed for your distribution. + +### Install Tor + +Source: [Tor Project Support](https://support.torproject.org/apt/) + +1. Verify architecture `sudo dpkg --print-architecture`. +2. Create sources.list file `sudo nano /etc/apt/sources.list.d/tor.list`. +3. Paste `deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org main`. +4. Paste `deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org main`. +> [!note] +> Replace `` with your system codename such as "jammy" for Ubuntu 22.04. +5. Press Ctrl+X, then "y", then the enter key. +6. Add the gpg key used to sign the packages `sudo wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null`. +7. Update repositories `sudo apt update`. +8. Install tor and tor debian keyring `sudo apt install tor deb.torproject.org-keyring`. +9. Replace torrc `sudo mv /etc/tor/torrc /etc/tor/torrc.default` then `sudo cp seednode/torrc /etc/tor/torrc`. +10. stop tor `sudo systemctl stop tor`. + +For each seed node: + +1. [Build the Haveno repository](#fork-and-build-haveno). +2. [Start a local Monero node](#start-a-local-monero-node). +3. Run `sudo cat /var/lib/tor/haveno_seednode/hostname` and note down the .onion for the next step & step 10. +4. Modify `./scripts/deployment/haveno-seednode.service` and `./scripts/deployment/haveno-seednode2.service` as needed. +5. Copy `./scripts/deployment/haveno-seednode.service` to `/etc/systemd/system` (if you are the very first seed in a new network also copy `./scripts/deployment/haveno-seednode2.service` to `/etc/systemd/system`). +6. Add user to tor group `sudo usermod -aG debian-tor `. +> [!note] +> Replace `` above with the user that will be running the seed node (step 6 above & step 4) +7. Disconnect and reconnect SSH session or logout and back in. +8. Run `sudo systemctl start tor`. +9. Run `sudo systemctl start haveno-seednode` to start the seednode and also run `sudo systemctl start haveno-seednode2` if you are the very first seed in a new network and coppied haveno-seednode2.service to your systemd folder. +10. Add the `.onion` address from step 3 to `core/src/main/resources/xmr_.seednodes` along with the port specified in the haveno-seednode.service file(s) `(ex: example.onion:2002)`. Be careful to record full addresses correctly. +11. Update all seed nodes, arbitrators, and user applications for the change to take effect. + Customize and deploy haveno-seednode.service to run a seed node as a system service. Each seed node requires a locally running Monero node. You can use the default port or configure it manually with `--xmrNode`, `--xmrNodeUsername`, and `--xmrNodePassword`. diff --git a/scripts/deployment/haveno-seednode.service b/scripts/deployment/haveno-seednode.service index fdb325696f..113e746609 100644 --- a/scripts/deployment/haveno-seednode.service +++ b/scripts/deployment/haveno-seednode.service @@ -10,6 +10,8 @@ SyslogIdentifier=Haveno-Seednode ExecStart=/bin/sh /home/haveno/haveno/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\ --useLocalhostForP2P=false\ --useDevPrivilegeKeys=false\ +# Uncomment the following line to use external tor +# --hiddenServiceAddress=example.onion\ --nodePort=2002\ --appName=haveno-XMR_STAGENET_Seed_2002\ # --logLevel=trace\ diff --git a/scripts/deployment/haveno-seednode2.service b/scripts/deployment/haveno-seednode2.service index 7b6c139a99..d2604c1c06 100644 --- a/scripts/deployment/haveno-seednode2.service +++ b/scripts/deployment/haveno-seednode2.service @@ -10,8 +10,10 @@ SyslogIdentifier=Haveno-Seednode2 ExecStart=/bin/sh /home/haveno/haveno/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\ --useLocalhostForP2P=false\ --useDevPrivilegeKeys=false\ - --nodePort=3003\ - --appName=haveno-XMR_STAGENET_Seed_3003\ +# Uncomment the following line to use external tor +# --hiddenServiceAddress=example.onion\ + --nodePort=2003\ + --appName=haveno-XMR_STAGENET_Seed_2003\ # --logLevel=trace\ --xmrNode=http://[::1]:38088\ --xmrNodeUsername=admin\ diff --git a/seednode/haveno-seednode.service b/seednode/haveno-seednode.service index d67c8baf1a..448a36e1a8 100644 --- a/seednode/haveno-seednode.service +++ b/seednode/haveno-seednode.service @@ -11,8 +11,10 @@ SyslogIdentifier=Haveno-Seednode ExecStart=/bin/sh $PATH/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\ --useLocalhostForP2P=false\ --useDevPrivilegeKeys=false\ +# Uncomment the following line to use external tor +# --hiddenServiceAddress=example.onion\ --nodePort=2002\ - --appName=haveno-XMR_STAGENET_Seed_2002 + --appName=haveno-XMR_STAGENET_Seed_2002\ --xmrNode=http://[::1]:38088 ExecStop=/bin/kill ${MAINPID} ; sleep 5 diff --git a/seednode/torrc b/seednode/torrc index 1a9d20ee98..d90b011111 100644 --- a/seednode/torrc +++ b/seednode/torrc @@ -1,18 +1,155 @@ -RunAsDaemon 1 -SOCKSPort 9050 -ControlPort 9051 -Log notice syslog +## Configuration file for Haveno Seednode +## +## To start/reload/etc this instance, run "systemctl start tor" (or reload, or..). +## This instance will run as user debian-tor; its data directory is /var/lib/tor. +## +## This file is configured via: +## /usr/share/tor/tor-service-defaults-torrc +## +## See 'man tor', for more options you can use in this file. -CookieAuthentication 0 -CookieAuthFileGroupReadable 1 -DataDirectoryGroupReadable 1 +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +# ### SocksPort flag: OnionTrafficOnly ### +## Tell the tor client to only connect to .onion addresses in response to SOCKS5 requests on this connection. +## This is equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic. +# ### SocksPort flag: ExtendedErrors ### +## Return extended error code in the SOCKS reply. So far, the possible errors are: +# X'F0' Onion Service Descriptor Can Not be Found +# X'F1' Onion Service Descriptor Is Invalid +# X'F2' Onion Service Introduction Failed +# X'F3' Onion Service Rendezvous Failed +# X'F4' Onion Service Missing Client Authorization +# X'F5' Onion Service Wrong Client Authorization +# X'F6' Onion Service Invalid Address +# X'F7' Onion Service Introduction Timed Out +SocksPort 9050 OnionTrafficOnly ExtendedErrors -SafeSocks 0 -HiddenServiceStatistics 0 +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +SocksPolicy accept 127.0.0.1 +SocksPolicy accept6 [::1] +SocksPolicy reject * + +## Tor will reject application connections that use unsafe variants of the socks protocol +## — ones that only provide an IP address, meaning the application is doing a DNS resolve first. +## Specifically, these are socks4 and socks5 when not doing remote DNS. (Default: 0) +#SafeSocks 1 + +## Tor will make a notice-level log entry for each connection to the Socks port indicating +## whether the request used a safe socks protocol or an unsafe one (see above entry on SafeSocks). +## This helps to determine whether an application using Tor is possibly leaking DNS requests. (Default: 0) +TestSocks 1 + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles (This is default) +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +# Try to write to disk less frequently than we would otherwise. This is useful when running on flash memory. AvoidDiskWrites 1 -#MaxClientCircuitsPending 64 -#KeepalivePeriod 2 -#CircuitBuildTimeout 5 -#NewCircuitPeriod 15 -#NumEntryGuards 8 +## TODO: This option has no effect. Bisq/Haveno is tor client &/or hidden service. 'man torrc': +## Relays and bridges only. When this option is enabled, a Tor relay writes obfuscated statistics on its +## role as hidden-service directory, introduction point, or rendezvous point to disk every 24 hours. +## If ExtraInfoStatistics is enabled, it will be published as part of the extra-info document. (Default: 1) +HiddenServiceStatistics 0 + +## NOTE: In order to use the ControlPort, the must belong to the tor group. +## sudo usermod -aG debian-tor +## +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +## +## Compute the hash of a password with "tor --hash-password password". +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +CookieAuthentication 0 # (Default: 1) + +## MetricsPort provides an interface to the underlying Tor relay metrics. +## Exposing publicly is dangerous, set a very strict access policy. +## Retrieve the metrics with: curl http://127.0.0.1:9035/metrics +MetricsPort 127.0.0.1:9035 +MetricsPortPolicy accept 127.0.0.1 +MetricsPortPolicy accept [::1] + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. e.g.: 'sudo cat /var/lib/tor/haveno_seednode/hostname' +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. +## +## If you plan to keep your service available for a long time, you might want to make a backup copy +## of the private_key file or complete folder /var/lib/tor/hidden_service somewhere. + +#### Haveno seednode incoming anonymity connections ### +HiddenServiceDir /var/lib/tor/haveno_seednode +HiddenServicePort 2002 127.0.0.1:2002 +HiddenServicePort 2002 [::1]:2002 + +## NOTE: HiddenService options are per onion service +## https://community.torproject.org/onion-services/advanced/dos/ +## +## Rate limiting at the Introduction Points +## Intropoint protections prevents onion service DoS from becoming a DoS for the entire machine and its guard. +HiddenServiceEnableIntroDoSDefense 1 +#HiddenServiceEnableIntroDoSRatePerSec 25 # (Default: 25) +#HiddenServiceEnableIntroDoSBurstPerSec 200 # (Default: 200) + +# Number of introduction points the hidden service will have. You can’t have more than 20. +#HiddenServiceNumIntroductionPoints 3 # (Default: 3) + +## https://tpo.pages.torproject.net/onion-services/ecosystem/technology/pow/#configuring-an-onion-service-with-the-pow-protection +## Proof of Work (PoW) before establishing Rendezvous Circuits +## The lower the queue and burst rates, the higher the puzzle effort tends to be for users. +HiddenServicePoWDefensesEnabled 1 +HiddenServicePoWQueueRate 200 # (Default: 250) +HiddenServicePoWQueueBurst 1000 # (Default: 2500) + +## Stream limits in the established Rendezvous Circuits +## The maximum number of simultaneous streams (connections) per rendezvous circuit. The max value allowed is 65535. (0 = unlimited) +HiddenServiceMaxStreams 25 +#HiddenServiceMaxStreamsCloseCircuit 1 + +#### Haveno seednode2 incoming anonymity connections ### +HiddenServiceDir /var/lib/tor/haveno_seednode2 +HiddenServicePort 2003 127.0.0.1:2003 +HiddenServicePort 2003 [::1]:2003 + +HiddenServiceEnableIntroDoSDefense 1 +#HiddenServiceEnableIntroDoSRatePerSec 25 # (Default: 25) +#HiddenServiceEnableIntroDoSBurstPerSec 200 # (Default: 200) +#HiddenServiceNumIntroductionPoints 3 # (Default: 3) + +HiddenServicePoWDefensesEnabled 1 +HiddenServicePoWQueueRate 200 # (Default: 250) +HiddenServicePoWQueueBurst 1000 # (Default: 2500) + +HiddenServiceMaxStreams 25 +#HiddenServiceMaxStreamsCloseCircuit 1 + +##################################################################### + +LongLivedPorts 2002,2003 +## Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300