Tor Port Scanning Resistance How-To

Last Updated: December 2009

Contact: Shane dot M dot Pope @ gmail
Thesis/Overview: Tor-Port-Scanning-Resistance.pdf
Note: My server isn't currently up for testing. I plan on setting up a VM with the Apache server running it.
Known Bugs: Connecting too many times to the server causes an infinite loop because it keeps trying to read packets but it returns 0 bytes and repeats. I haven't fixed this. If you try to connect with 20 times simultaneously it generally happens.

Client setup (Tor client + local java proxy)



Download and run the local client proxy and leave open in console.

Source: SRTorClientProxy.java
Run: javac SRTorClientProxy.java && java SRTorClientProxy
(Note: bridge is currently hardcoded to my ip, change it for local testing.)
Then Run: java SRTorClientProxy


Tor Setup (Vidalia below)
If running Tor (not vidalia) add these to the bottom of your torrc file usually located at /etc/tor/torrc and sometimes /usr/local/etc/tor/torrc
ClientOnly 1
UseBridges 1
Bridge 127.0.0.1:12312 A467FC8134537FC13C2D6DC2E0071A4974577E64
This will add my SR bridge's fingerprint as a bridge, but the local java proxy as the ip:port.
(That finger print is wrong, I will update it when I setup my vm, set it to your fingerprint for testing.) Port MUST be the same as the remote port due to some stuff in the Tor server, this is hackery that will be fixed if this is implemented into


Vidalia Setup
Go into Vidalia and select "My country blocks such and such..."
Add the following as a bridge:
127.0.0.1:12312 A467FC8134537FC13C2D6DC2E0071A4974577E64


Trouble-shooting:
If the Tor client says "No live bridge descriptors." or cannot connect to Tor in Vidalia, Tor may have marked the SR bridge as unconnectable, possibly because the java proxy above was not running when you ran the Tor client. Delete the state and cached-* files in ~/.tor to fix this.
rm ~/.tor/state && rm ~/.tor/cache*



Server Setup

Tor Setup

Add these lines to your torrc (found in /etc/tor on Ubuntu):


#This fixes a bug where the SR client will try and connect to your IP
#instead of connecting to their local one... Probably breaks things
#elsewhere
Address 127.0.0.1
#Listen only to local host, we'll get connections from apache
ORListenAddress 127.0.0.1
#listen on 12312
ORPort 12312

#Bridge, don't publish, not an end-node
BridgeRelay 1
PublishServerDescriptor 0
ExitPolicy reject *:*

Apache Setup

Setup apache with SSL support (TODO: Going to write up for to set-up this as I do it on my VM.)

Download mod_tor.c from http://code.google.com/p/scanresisttor/source/browse/mod_tor/src/mod_tor.c (not a .c file, a link)

To build and install the module:
sudo apxs2 -i -a -c mod_tor.c && sudo /etc/init.d/apache2 restart

Add the following to /etc/apache2/httpd:


LoadModule tor_module /usr/lib/apache2/modules/mod_tor.so
ModTorPassword "password=pancake"
ModTorPort 12312
<Location /tor>
     SetHandler tor
</Location>


Note 1: Change the password to anything.
Note 2: If you do not put Location in a folder ( just a / instead of /tor it will change the default apache properties instead of going to index.html it will say page not found )