Sunday, June 19, 2011

Why Foxy Proxy > Torbutton

Ok, so I said I'd post this the next day and well, I didn't.  Too much stuff going on.  Crash course Bitcoin mining, fun with KVM, and few other projects that I have plans to include tutorials on.

Now, before I get on to the topic, I'd like to point out that Tor/I2P, etc is just how I utilize the features in Foxy Proxy.  If you are in a country that actively censors and monitors your Internet connection and you use proxies to circumvent your government firewall and surveillance, the methods used here are highly recommended for this situation as well and I will add a few example rules at the end to give you an idea on how to set up dynamic auto-triggering proxy rules for Facebook, Twitter. Google, etc.

Alright. so why Foxy Proxy?

I hear lots of talk about Torbutton and I'll admit, I used it myself up until Firefox 4 came out and it was no longer supported.  So I waited. And I waited.  In the mean time I also happen to be interested in many other Darknet technologies such as I2P, Freenet, Tahoe-LAFS and their potential impact for the future of online communication.  Unfortunately, running these, especially at the same time, can be quite frustrating.  Usually the solution is to run them in different browsers, which is less than ideal.  It would be nice if I could just run them all seamlessly in the same Firefox session and somehow have Firefox intelligently use the proper proxy/Darknet depending on the link I load.  Of course, neither Torbutton nor the Firefox proxy tab is going to help you there.

Then, as I begun to get impatient waiting for the new Torbutton, I decided to give Foxy Proxy a shot.
Once I really dug in and started learning its features I found it to be so far beyond Torbutton that it really doesn't compare and magically, all these problems disappeared.

In fact, I would even go as far as to say that Foxy Proxy is not only a suitable drop in replacement for Torbutton, it can also go a bit further to protect your privacy.

Let me explain the concept first, then I will show how using Foxy Proxy can potentially improve your privacy over Torbutton.

With Foxy Proxy, you can set up multiple proxies and give each of them matching rules and put them in the order you want Foxy Proxy to look through them.  The first match found by Foxy Proxy will be used and the rest are then ignored for that link. If it helps, think of it the way a firewall like iptables works, the first match wins.

Let me give an example.  Let's say that you are behind some sort of firewall that blocks gmail or facebook or something of the sort.  Now lets say you have a proxy that will let you get to that site, but you only want that proxy used for that site and ignored otherwise.  Foxy Proxy, allows you to set up rules like this.
Basically, you just add an entry in Foxy Proxy (I will show how to do this in a bit) to use such and such proxy for gmail above the default no proxy rule.
Now if you go to the first rule will match and your proxy will kick in.  If you instead go to, it will ignore the first rule and go to without a proxy.

Now, how does this relate to Tor and more importantly, how can this increase your privacy versus something like Torbutton?  Well it all comes down to the convenient fact that in most Darknet systems, the hidden services use a specialized domain name.  For Tor this is .onion.
Alright, so your thinking, "Ok, so Im using Torbutton or whatever and I click a .onion address and Im running Tor and it loads up and whats the problem?"
And thats fine, but the problem comes when you accidentally click on a .onion address and your are NOT using Tor.  Well, what happens then is you get a nice little error from your ISP saying basically "What the heck is that?"
Cause how does a Polar Be- err I mean ISP know what .onion is?
Well, they don't, but they logged the attempt anyways.
Get it?
Same goes for I2P, Freenet, etc.
This is where Foxy Proxy comes in.

What I will show you is not only how to set up Tor with Foxy Proxy, but also how to catch stuff that you only want sent through certain proxies and 404 them if that proxy is not running or broken before it leaves your machine and gets logged by your ISP.  This is especially useful for those living in countries that actively sensor and monitor their citizens Internet activity.
Of course, standard disclaimer:  The idea is to maintain your privacy, if you think your going do this and break the law and not get caught, well sorry to burst your bubble, but it won't. Tor and Darknets are not enough to break the law and never get caught. (Google "Tor timing attacks")

What it will show you is the best way (that I am aware) of seamlessly browsing sites and having them load automatically in the proxy/Darknet you want them to and not from anywhere else. I like to think of it as practicing good browser proxy hygiene.

So ok how does this work?
I'm going to use Tor and I2P for this example since they have unique domain names.  Freenet is a bit different  and I haven't really tried to use Foxy Proxy with it yet.

The first one I will show is I2P, since you generally only are using I2P to browse I2P sites as its generally not designed to be an anonymous portal to the general Internet.
First grab the latest Foxy Proxy here:

Now when you open Foxy Proxy, you should be on the Proxies tab.
There should already be a "Default" proxy.  We are going to leave that one there and click on Add A New Proxy on the right.
A dialog box should open and now click on the tab for Proxy Details.
Default I2P uses localhost or on port 4444 for http and 4445 for https
We are first creating the I2P http proxy, so enter for the IP Address and 4444 for the port.
Make sure manual proxy is selected.
Now switch to the tab "URL Patterns"
The is where we specify what gets send to this proxy.  You can use both regular expressions or general wildcard method to create the rule.  I'm using the wildcard method because these rules are pretty straight forward.
What we want is all http:// sites that have a top level domain of .i2p to be sent to this proxy.
So what we do is click "Add New Pattern" and enter  http://*.i2p/*  as the url pattern, check whitelist to make this a whitelist, wildcards to specify the URL Pattern is using the wildcard method, and then click enable to turn it on.  Then click ok and now we just have to move to the General tab and give it a unique color.
The Foxy Proxy icon in your browser will turn the color of the current proxy being used and spin around so you know which one its using.  Just make sure that its a different color than the default.  (Blue I believe is what it the default "no-proxy" is set as)
Click "Enable" on the General tab and give it a name if you wish

Ok so if you managed that, the rest will be easy.  For the I2P https, we do the same exact thing but have the port as 4445, the URL Pattern as  https://*.i2p/* , and set it to its own unique color.
Now just make sure that you move the two new proxies above the Default one so they are checked by Foxy Proxy first and then change the top dropdown box from "Use Default for all" to "Use proxies based on their pre-defined patterns and priorities"

Now you are able to use the same Firefox session to browse I2P and the general Internet as well. If you click on a link with an address of .i2p Firefox will automatically use I2P to load the link and if you want to check your gmail or facebook or whatever, you just do this normally and Firefox will use your normal ISP internet connection (or whatever other nameserver you have set up).
Also, now if you click on an I2P link like in your bookmarks or something while you are not running I2P, Foxy Proxy will catch it, try to load the I2P proxy and fail without it ever getting sent to your ISP.

Now for the Tor rules.
While Tor allows the access to .onion hidden services it is also used as an anonymous portal for the general Internet, so the rules need to be a bit different.
We are going to want two rules, one for .onion addresses and one for everything else.
For the .onion proxy, we are going to do pretty much the same thing as we did for I2P.
Set the proxy as and the port (assuming the default privoxy/polipo port) of 8118.
Then set the URL Pattern to *.onion* and set the rest as the same as was set up for I2P with the exception of the name and color for the proxy.  Move this proxy to be above the "Default" proxy.

For the second rule, we are going to do the exact same as the above Tor proxy, but we are going to set the URL Pattern to be simply "*"  (without the quotes). Make this proxy above the "Default" but under the .onion proxy and give it a decent name like "Default Tor"

Now with all the proxies enabled, you can browse I2P and Tor seamlessly without needing different browsers.
When you want to surf the general web, just open Foxy Proxy and disable the Default Tor proxy and you are again using the general Internet and if you click on a .onion address it will still use Tor or 404 depending on whether you are running Tor. Either way, nothing will get sent to your ISP that is related to Tor or I2P hidden service sites.  If you want even, you can browse I2P, Tor Hidden Services, and the general Internet all in one browsing session.
Just make sure to use the "Ref Control" ( Firefox plugin to prevent your referring URLs from being sent back and forth, but if you read my last post, you are already doing that.

Well there you go, and like promised, here are a few example wildcard URL Patterns for commonly blocked sites in censored countries:
**   **   **   **
Seeing a pattern yet?  Good, and dont forget to use the SSL or https://  secure versions of these sites!
In fact, head over to now and grab the auto https plugin from the superheroes at
Well I hope this was a help to someone.  Thanks for reading, one more short posting on how to filter known bad Tor exit nodes and that will complete this little round of Tor how tos.
Then hopefully on to a KVM networking tutorial or two.


Tuesday, May 24, 2011

Ditching Tor Browser Bundle & Vidalia or The Right Way To Use Tor

Current versions of Tor Browser Bundle include additional Firefox privacy bug fixes that not yet included in Firefox mainline such as fixes to HTML5 information leaks.  Using the Browser Bundle and upgrading immediately when updates come out is currently the recommended way to use Tor.
Vidalia itself has been obsoleted and should no longer be in use.

I leave the below tutorial for historical purposes only


In this I will cover how and why to move away from depending and trusting in Vidalia and the Tor Browser Bundle for your security as well as a number of important common sense tactics to employ when using Tor. Actually, this post intends to be a semi-complete crash course on Tor safety.  While the last half is meant for Linux users, Windows and Mac OS X Tor users should still follow the Firefox setup and plugins section below. In fact even if you don't use Tor you should already be doing much of this anyways.

For those not in the know or have stumbled here on accident, Tor is an incredible application that if used properly that can provide a high level anonymity online allowing you to browse websites as well as "Hidden Services" (.onion sites which are special Tor-only web pages inaccessible to those not using Tor) by hiding your identity by routing your traffic through other nodes around the globe and preventing your web traffic from being able to be traced back to your machine.
More info can be found at the Tor homepage:

Now this all fine and great and we all love Tor, but far too many people are not using it properly and are actually putting themselves in greater danger by using it.  Let's get one thing clear, you don't need Tor Browser Bundle.  They provide that cause they don't think most people will do all the below stuff on their own (If there are important tweaks I'm missing please let me know).  The problem is that the Tor Browser Bundle lags too far behind in updating Firefox versions, leaving you vulnerable with an outdated Firefox.
First Ill cover the general things everyone should be doing while using Tor whether using Windows, Linux, or Mac OS X. Even non-Tor users should be doing the things described in the Firefox plugins section for general online security.

Number one, use Firefox.  Firefox is simply the only safe browser to use with Tor.  The Tor developers themselves have repeatedly stated this and while they are trying to work with the Chrome developers to improve Chrome's privacy features, it simply isnt up to par yet. Safari, Opera, IE are out of the question. Don't even think about it

Ok, now that you are using Firefox, realize that Tor can not protect you from bad websites. If you goto an untrusted site (and with all the ads online that pretty much means almost every website since the ads they serve can be coming from anywhere)  Aside from the usual Adaware, Anti-Virus, Non-admin Windows accounts, etc, you need to be using the No-Script Firefox plugin.  This is non-negotiable as almost all malware uses Javascript to dump malware onto your system.  Really you should be using this Tor or no Tor.

Next, Tor works by routing your traffic so ultimately the machine that fetches the web page for you could be anyone and should be considered untrusted at all times. This means dont log into any sites that are tied to your real world person.  This means no Facebook. LinkedIn, your normal email accounts, game accounts, whatever dont do it.  The last computer in the route can possibly steal your session even if its ssl and shovel a forged ssl cert to you and grab your password. Even if they don't, they can see who you are if you do this cause your visiting your friends pages so they can prob figure out who you are based on friend list comparisons and since your on Tor, your probably not the hot blond veterinarian whose interests include volleyball, Grey's Anatomy, and Lady Gaga.  Also, don't search for dumb stuff like London Weather Forecast in unencrypted Google on Tor.  Guess what, feds and hackers also run Tor and now they know you're in London.  Be smart

Ok, now that thats out of the way, we need to lock down Firefox so it doesnt leak any private information.  There are good plugins for this and the ones I recommend are Cookie Monster, Better Privacy, Ref ControlUser Agent Switcher, and Foxy Proxy. There used to be Nevercookie Anonymizer but that doesn't work with Firefox 4.  Cookie Monster along with Better Privacy should do the same thing.

Of course just installing these Add-Ons isn't enough.  Yes, you need to actually configure them. Starting with:

No Script: Go through the Whitelist and remove it all. You can add as you go although always use "Temporarily Allow" when a site doesnt display properly or you are having odd issues.  Also make sure to go to the Embeddings tab and select the check box for Forbid IFrame. Some malware likes to use these to dump stuff onto your machine. Make sure Flash, Silverlight, Java, Audio, other are selected. The rest of the defaults should suffice as far as I'm aware.  Throw me comment if anyone has any other No-Script hints.
Better Privacy. In the Better Privacy preferences remove any LSO cookies found and then switch to the Options & Help tab.  Make sure "Delete Flash cookies on Firefox Exit" and "Disable Ping Tracking" are selected.
Cookie Monster: Make sure "Block 3rd party cookies" is selected.  Block All cookies if you are truely paranoid.
Ref Control: Make sure the "Default for sites not listed" is set to "Block"
User Agent Switcher: grab the user agent list here and import into User Agent Switcher overwriting the previous list. Pro-Tips:  I like to set my UA to Linux-> Console Browsers -> Elinks or Lynx since Ive never in my life heard of malware for those.  Also, when you find a website that trys to make you pay to see contents that Google results seemed to have a clip of, switch your UA to Google Bot and enjoy the site for free ;)
Foxy Proxy: This is covered later as there are some pretty nifty things to do with it and you need to get your  Firefox shields up and operational before you run Tor (*Edit: I'll post this one tomorrow in a separate post, as it is such a good plugin it deserves a post by itself*) 

Next, in Firefox make sure to go to the Privacy tab and set it to "Permanent Private Browsing Mode." In Advanced tab under General choose "Tell websites I don't want to be tracked."
I also changed my homepage to which gives me full info about what my browser is leaking and whether Tor is being used or not.

Lastly, go to the Security tab and deselect "Remember passwords for sites."  Seriously people, if you don't do this, then any website that manages to get into your browser will potentially get ALL YOUR PASSWORDS. Don't.  I put my passwords into a text file on a usb drive and then gpg encrypt them. Do what you like but don't store your stuff in the browser, the browser interacts directly with the Internet so its the first thing that gets attacked. Bad.  

Now that that is all done double check that in the Tools menu "Clear history" is grayed out (you shouldn't have anymore history) and Start Private Browsing is selected.  

I think thats about it for Firefox adjustments.  Now a few things NOT to do while using Tor. Aside from not logging into important accounts, anything Flash and Java and such can leak information about you, not to mention that you shouldn't be streaming stuff like Youtube and Vimeo on Tor.  Its a waste of  Tor network resources and it'll be slow anyways.  And really if all you do online is Youtube and Facebook, then what the heck do you need Tor for? Plus, Flash is a bug-ridden ownage machine with one of the worst security records out there.  
If your using Flagfox, disable it.  Sorry, its a great plugin, don't know but but Ive heard it leaks DNS queries. It can also be used to track you since you have to tell it every site you go to.  
If your using the ANT Flash downloader plugin, get rid of it. Its been shown to track its users.  
Basically remove any plugins you don't absolutely need and trust. 
Oh yeah, don't use the new Firefox Sync feature or any online bookmark sync junk. I think that one should be obvious.  

Ok, that concludes the OS independent stuff, from here on I will be talking about further security enhancements for those on Linux .  So if you're using Windows or OSX you're on your own now.

Now comes Vidalia.  This part is unfortunate because although its a great program, it shares a problem with Tor Browser Bundle. Namely running Tor as your regular user. If Tor gets compromised or exploited, the exploit will be able to run with your full user account privileges and potentially compromise/steal/destroy important files and information of yours. Using Vidalia I believe increases this risk cause its just one more program connected to Tor that can be targeted.  The basic security tenant of "If you don't need it, don't use it" applies here. So what you want to do instead is run Tor as a special tor user account with limited privileges. Or even better, follow the instructions in my last blog about chroot jails with jailkit and modify it to run Tor.  (Thats on my to-do list and if I run into any special issues I'll post them). This gives you another layer of security in an increasingly hostile Tor environment. 
To run Tor under the tor user, first make sure you have a tor user and group on your machine.  Archlinux was nice enough to create them for me.
Then in the /etc/tor/torrc file make sure this section is as appears below
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line.
RunAsDaemon 1
User tor
Group tor
Now as root start the tor service in /etc/init.d/tor or /etc/rc.d/tor
Archlinux uses rc.d but I know Ubuntu and Debian use init.d
I use Arch so I just enter
/etc/rc.d/tor start 

Doing this for polipo isn't quite so straightforward, but fortunately the Arch Wiki has provided a great how-to on how to do this which should apply to most Linux distributions and any adjustments to the instructions should be pretty minor.
This comes straight from which is made available for distribution under the GNU Free Documentation License 1.2:
Polipo should run as an unpriviledged user. Such a user can either be created or reused:

mkdir /var/cache/polipo
groupadd -r polipo
useradd -d /var/cache/polipo -g polipo -r -s /bin/false polipo 
While other daemons start as root and drop priviledges as soon as possible, polipo runs as the user that invoked it. If polipo is invoked from /etc/rc.d/polipo, change the invokation line from 
/usr/bin/$DAEMON $ARGS >/dev/null 2>&1 

su -c "/usr/bin/$DAEMON $ARGS" -s /bin/sh polipo >/dev/null 2>&1
It is then also necessary to change ownership and/or permissions of several files and directories written by polipo.  *I found that if these files dont exist, they must be created using mkdir or the touch command and the chown polipo:polipo on them or polipo will fail to start:
  • the log file /var/log/polipo.  The Arch Wiki states that a better choice is to create a directory but for me creating a polipo log directory was giving polipo problems and I just used the regular log file.
  • /var/log/polipo owned by the designated user and set polipo's log file to /var/log/polipo/polipo.log via the logFile variable in the config file. (I set this to chown polipo:log . Check the other files in the /var/log/directory to see if there they are assigned to a "log" group)
  • the pid file at /var/run/polipo/ and the directory that hosts it
  • the cache directory /var/cache/polipo and all of the contained files 
Also, make sure to grab the polipo config for Tor here:
Make any changes you need and put it in /etc/polipo/config/polipo.conf

Ok, so once you've got all this ready and running, all you need to do know is just fire up Firefox and change your proxy settings (found in Advanced -> Network -> Connections) to Manual Proxy at and port 8118 for HTTP and HTTPS, nothing for ftp (unless your going to use that) and the Socks box.  I also have localhost, for the "No Proxy for" section but I'm not sure if that is default or required or what.
Either way, next post will be on Foxy Proxy where we will take proxy settings to a whole new level!

But, before you run off make sure to go here with Tor and add the the list of bad Tor nodes to your torrc to make sure Tor refuses to use these:
These Tor nodes have been shown to be doing dangerous or sketchy things with traffic, such as modify your SSL traffic in order to steal your passwords and snoop your information. Not good.  Some are believed to be NSA nodes spying on Tor users, some are hackers trying to steal your information, and some just have bad configurations that put can put you at risk.
The people behind this site run software to constantly scan and monitor Tor nodes 24/7 to detect malicious or bad Tor nodes and publish them on the site.
Basically what you do is go down to the section "Create ExcludeNodes" and select all the options that have a value of 1 or more, then make sure "Fingerprints" is selected, then click the "Create ExcludeNodes" button and paste the entire output into your torrc configuration file.
Restart Tor so its using the new torrc and you are ready to go.
Make sure to check back every time you use Tor to get the latest updates.

And thats about all I can think of at the moment aside from general common sense.
If anyone has anything they think I should add, drop a comment or send an email and I'll check it out and probably put it in.

I will try to always keep this updated as I find new tips or new information.

In the mean time, if its not already bookmarked, here is the Tor-only "Hidden Wiki"
And when your there, try to remember your morals...


Tuesday, March 15, 2011

Run your favorite apps securely alongside an egress firewall with Iptables And Jailkit

In a perfect world the importance of egress or outbound firewall filtering would be common knowledge and implemented as a de facto standard alongside other common sense techniques such as anti-viruses, frequent patching, and non-admin user accounts and we would all live in a happy world free from many of the devastating worms and rootkits that constantly plague us.

Now instead of going off on a much long tangent on this, I will simply quote Brian Hatch who I think stated it quite aptly:
When your computer is compromised, you are no longer the innocent party trying to defend yourself, to other machines you have become the attacker. You owe it to others to make outbound attacks more difficult to the cracker or worms that have managed to get onto your machine.”
(Hacking Linux Exposed: Egress filtering for a healthier Internet - Brian Hatch)

With that out of the way, I think its only fair to concede that egress/outbound filtering, while important, can often come into conflict with a few of the common applications that we use on a daily basis on our  workstations.

One if the most popular applications that suffers from this is bittorrent software.  First off let me say that while this article uses the rtorrent peer to peer application as the example, the methods and approach here are relevant for any application that does not communicate in a predictable enough manner to create targeted iptables port rules.  In fact I can think of numerous penetration and security testing tools that this method could work well for (Nmap just to throw one out there).

Now I admit that the use of bittorrent software can introduce a host of security vulnerabilities even if used for legitimate purposes (and YES there are legitimate uses for bit-torrent), the fact is that it is widely used and trends show that this is not going to change anytime soon.

Too often though, I think otherwise very security minded individuals conclude that the risks of using peer to peer technologies just come with the territory and there is not much else that can be done aside from using DMZs and Virtual Machines, which have the extreme disadvantage of significantly increasing system resource utilization.

Fortunately, the there is a better and more targeted way to address this which helps to mitigate this risk.

First I think it is important to provide a bit more detailed summary of the issue I ran into while attempting to implement an egress filtering solution on my home desktop (I'm using Archlinux, but these methods should work with most Linux distributions).  The problem I ran into with bittorrent is that although it does use a set listening port, this port is used only by remote users connecting into your machine and is may not be the port used by your machine to initiate connections with remote users.  Also, each remote user has their own listening port which is not necessarily the same as yours.

This creates a situation where your outgoing source and destination ports are both random, leaving you without much of a way to effectively deploy an egress filtering firewall and still continue using your application.   Now there are numerous and well documented ways of getting around this by using firewall evasion techniques such as tunneling, there is another method that is often overlooked and not only does it get around this problem, it also gives you an extra layer of security.  This is particularly important when using programs such as bittorrent.

The basic idea behind this method involves running your bittorrent application in a chroot jail using a special user account.  While the security benefits of properly configured chroot jails are significant in and of themselves (and I stress properly configured), running them as a special user allows you to utilize iptables match by user feature.  What this does, is allow us to implement a “default drop” outgoing firewall rule and add special exceptions for certain users.

So the ultimate solution here is to construct a user who operates exclusively within a chroot jail that allows access to the program needed and nothing else (not even a command shell) and then use the iptables match by owner feature to allow this user and this user only access to the ports needed by the application.  This will let you continue to use your application while at the same time significantly reducing the exposed vulnerability landscape on your machines.

In this tutorial Im going to be using the ncurses based bittorrent client rtorrent as the example since that is what I use as it allows me to easily manage my torrents remotely wherever I happen to be using screen and ssh.
More information about rtorrent can be found at

To create and manage the chroot environment I will be using the jailkit utilities.  The jailkit homepage describes the suite as “a set of utilities to limit user accounts to specific files using chroot() and or specific commands.”

Using jailkit greatly simplifies the process of setting up a chroot and can help to prevent some bad chroot mis-configurations.  I suppose this is a good time to issue the standard chroot disclaimer:
Warning! An improperly set up a chroot environment can actually create a security hole!

More information on jailkit as well as documentation for many of its other features can me found at 
In particular, I strongly recommend reading the “SECURITY CONSIDERATIONS” section on the homepage for what you should NOT do while setting up your chroot environment. Its short, so read it.

Lastly, this tutorial assumes you have an iptables firewall in place as well as CONFIG_NETFILTER_XT_MATCH_OWNER kernel option either compiled into your kernel or as a module.

Quick word of warning before I get into the commands:  Due to the small page space Google actually gives to the blog, commands may get word wrapped.  Commands will be separated from each other with extra white space to avoid confusion. I'll be looking for a better medium for my articles soon.

Now on to the actual setup

To verify whether the match owner netfilter module is running, do
lsmod | grep xt_owner
If the output indicates that the module is loaded and running, you're good to go

The next thing to do is get jailkit installed on your machine.
There happened to be a jailkit package already available in the Archlinux AUR repository, but I am aware that some distributions may not have one (Ubuntu for instance).  In that case the source code may downloaded from the jailkit website given above.

Once jailkit is installed and the user match iptables module is running, we can start creating our chroot jail.

First thing, we need to actually make the jail. I call mine “rtor” but you can call it whatever you like, although I would recommend not calling it by the same name as the user that will be operating inside of it.
mkdir /home/rtor
make it owned by root
chown root:root /home/rtor
chmod 0755 /home/rtor
Now we need to create the user and group account for the application we will be using.  I use id 1010 for both user and group but you can use whatever id as long as its not already taken
groupadd -g 1010 rtorrent
usermod -g rtorrent rtorrent
adduser rtorrent
Obviously, lets use a good password here

We need to tell jailkit what capabilities our jail needs.  For rtorrent I used:
jk_init -v -j /home/rtor netbasics limitedshell terminfo
Others can be found in /etc/jailkit/jk_init.ini
You should see numerous files needed for netbasics limitedshell and terminfo being copied over into your chroot jail

Now that the jail is set up, you need to jail your newly created user
jk_jailuser -m -j /home/rtor rtorrent
This will move the home directory of the user into the chroot jail. The new path should be similar to /home/rtor/home/rtorrent

Using Archlinux I had an issue with the way it copied over the /etc/passwd file and ended up with some values cut out of the users passwd entry.  I suggest checking the newly created /home/rtor/etc/passwd and group file to make sure the entries are sane.
The passwd file should look similar to
Now we need to copy over application we want the user to access.
To do this we much add an entry into the /etc/jailkit/jk_init.ini file pertaining to that application
vi /etc/jailkit/jk_init.ini
For rtorrent, mine looks like this
comment = rtorrent
paths = /usr/bin/rtorrent
now it can be copied over simply with
jk_init -v -j /home/rtor rtorrent 
This copies the program over as well as any of the libraries the program requires to function

Now whats nice about jailkit, is that just having the rtorrent libraries and binaries installed into the chroot isnt enough to actually let the user run the application.

Jailkit has an added configuration file that specifies what binaries the user is allowed to use.  This way if an attacker manages to break into your chroot she is severely restricted by what she is allowed to run.  To allow the user to actually run rtorrent we must add a section for the user in the /home/rtor/etc/jailkit/jk_lsh.ini file

mine looks like this:
paths= /usr/lib/, /usr/bin/
executables= usr/bin/rtorrent
Finally, in order to allow the user rtorrent to attach to the terminal, we must edit
/etc/jailkit/jk_chrootsh.ini and add
env= TERM
If you will be using X apps withing the jail make sure include the DISPLAY, XAUTHORITY variables as well

Now Restart jk_socketd to make sure log messages are transferred
killall jk_socketd
Now, theoretically all we should need to do to run the application is to su to the user with the -c switch to instruct it to just run that one command (remember, we are not allowing the user a shell so this is the only way to start the program).
su - rtorrent -c rtorrent
Of course theory is theory and it turns out rtorrent needs a few extra things to get up and running.
Specifically, a .session folder as well as the .rtorrent.rc config file.
We need to copy these into the users home directory within the jail and turn them over to the rtorrent user.
So as root we need to
mkdir /home/rtor/home/rtorrent/.session 
chown rtorrent:rtorrent /home/rtor/home/rtorrent/.session 
cp /<path/to/your/.rtorrent.rc> /home/rtor/home/rtorrent 
chown rtorrent:rtorrent /home/rtor/home/rtorrent/.rtorrent.rc
If you do not have an .rtorrent.rc file yet, you can get the example one from and modify it for your needs

now we can try and run the program to verify that its working.
su - rtorrent -c rtorrent
If you are having any problems or you find that you are not switching users, you might want to take a look in your /var/log/auth.log to see if there were any permission errors and /var/log/daemon.log to see if there were any jailkit daemon errors.

Now once you've got this all working, you should be able to run
ps aux | grep rtorrent 
and see a line showing rtorrent running as user rtorrent

Now if thats its working, actually setting the exceptions to your iptables firewall is easy.
This assumes that you have egress/outbound filtering in default drop mode. Meaning there should be a line in the beginning of your firewall rule set that looks like this:
To add the exceptions we add
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -m owner --uid-owner rtorrent -j ACCEPT
to the output chain and
$IPTABLES -A INPUT -p tcp --dport 55555 -j ACCEPT
to the input chain.
Of course set the port number to be your application's listening port. Unfortunately, iptables does not have a feature to specify the incoming destination user so this rule applies globally.
You want to be sure that the packets that are accepted by port 55555 are actually valid. All iptables rules should have something similar to this for both the INPUT and OUTPUT chain to enforce this
$IPTABLES -A INPUT -m state --state INVALID -j DROP$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
Also, if you need to use distributed hash tables (DHT) or some other UDP based peer exchange technologies to find peers (such as pirate bay and other trackerless bittorrent methods) you will need to include similar rules for UDP based on the UDP port set in your torrent application.

Now update the firewall and you should have a proper egress firewall which allows only your one application user to use the ports needed to connect out and since this user is strictly forbidden from using any other executable, you are able to continue using the application while significantly reducing the possibility of an attacker maliciously controlling your machine.

Unfortunately this nifty setup does leave you with one small problem: getting the torrents in and the downloads out.
Well, theres not really any other way aside from using root to do this.
But considering the added security benefits, this is pretty fair trade off.
as root:
mv ./<torrent> /home/rtor/home/rtorrent/ 
chmod rtorrent:rtorrent /home/rtor/home/rtorrent/<torrent
 now open the torrent normally and when the download finishes
mv /home/rtor/home/rtorrent/<download> /home/<yournormaluser>/ 
chmod <yournormaluser>:<yournormaluser> /home/<yournormaluser>/<download>
And thats it!

Lastly, you may have been wondering: “Well what happens when the new version of the program comes out? Does that mean I need to do this all over again to use it?”
Luckily, the answer is no.  The developers over at jailkit already thought of this and included with the jailkit program is a nifty little tool called jk_update
Simply running
jk_update -j <jail>
will check all files in the jail for updates and copy them over.
The documentation page on jk_update states:
jk_update will compare the files in a jail with the corresponding files on the real system. If the corresponding file on the real system is newer, and the file on the real system is different, the file from the real system will be copied to the jail including any required libraries just like jk_cp would do. Files that do not exist on the real system will be deleted in the jail.” (

Pay particular attention to that last sentence!  Read it twice.  Now read it again.
By default jk_update will scan /usr, /bin, /opt, and /lib for updates.
So make sure that if you have added any scripts to the jail that you add special skip rules.  An explanation of how to do this is given on the previously mentioned jk_update documentation page

Well hopefully if you've gotten this far everything is up and running.  Like I said, rtorrent is just one example of an application that can be secured in this manner.  This is actually a fairly eloquent solution that can be applied to numerous applications on your egress filtering protected machines.

Of course questions, comments, suggestions are welcome. If you found this helpful let me know and be sure to thank the authors of these programs for their excellent work!


I suppose I should introduce myself. Im a Linux and IT security hobbyist.  I hold a degree in Economics but I'm looking to get into the IT security field. I'm LPIC Level 1 certified and hope to be security+ certified in a month or so.
I've decided to start this blog since Ive been finding myself adding tutorials to open source wikis more and more lately and would like to have my own place to aggregate some of them as well as to start documenting some of my other small Linux and security related projects for reference as well as to put them out there for others to benefit and comment on.  Hopefully they will be of use to someone and maybe I'll even get some good suggestions and comments.  I am by no means an expert on everything posted so by all means feel free to school/correct/rant on anything here.

Topics will probably include programs such as tor, i2p, screen, iptables, fwknop and so on.  I generally stick to the command line and use Archlinux, Gentoo, and Debian.

As for the name, its near 5am and the Melvins - Night Goat just happened to be playing and I figured its as good a name as any other so I ran with it. Besides, that song owns.

At some point I'll get an actual blog/site set up on my own server, but until then this will do.
Alright, now for a post thats actually useful.