Building a Portable, Chrootable Tor Instance on a Dedicated Development VM

In my last post I talked about various ways of locking down your system to mitigate compromises. One method of securing a system I mentioned is to chroot programs that are running public services. Chrooted programs run in their own little 'sandboxes', or 'jails', which are nothing more than a complete filesystem with everything that the program needs to run inside a directory that is owned by the root user. This limits the programs attack vector because the program and the user it's running as can only access files and directories inside it's environment. If the program is compromised, a chroot should protect the rest of the system from compromised as well.

While the concept is easy enough to understand, the implantation can be a little tricky. Different distributions of Linux, although running 98% of the same software, have different file system structures. It's not exactly difficult to figure out where all those libraries are, but it can be tedious and annoying. That's probably why chroots aren't used as often as they should be. There are some solutions that make the process easier, like using Sandfox. There is also Debootstrap for Debian systems, although I can't speak for it because I have yet to use it. However, sometimes it's better to accomplish something without installing any extra software, especially if the target system is a production server.

As mentioned in my last post, it is a security risk to have compilers on your system. Compilers can make things much easier for attackers to compromise your system. One solution to these issues is to compile all your software in a virtual machine, which is also hosted on a dedicated system. I just love virtual machines. They're very convienient, forgiving, portable, and disposable. If anything ever goes wrong on a VM, you simply restore the system to a snapshot that you (hopefully) made immediatly after installing and configuring the system. So, let's set up a virtual development system to run all of our compiliers on. Then we will compile and create a portable, chrooted instance of Tor, which we can than run on any server that we need.

Ideally, your virtual machines should run on a dedication system. The system does not have to be terribly powerful, so you could probably use one of your old computers that are collecting dust in the closet. For my dedicated box, I chose straight headless Debian. I created a seperate user to run Virtualbox, and also a seperate partition to store and run the virtual machines on, for security. It's best to make sure this partition is of descent size, (at least 50 gigs). It's also good to partition the disc ahead of time rather than relying on the installer to do that for you. Setting up a Debian system and installing vboxheadless is beyond the scope of this post, but there are plenty of resources on the net if you need help with that.

Once you have your system running, secure it with SSH and a firewall. Next, install vboxheadless, and phpvirtualbox if you want a nice graphical interface to manage your VM's. Now you just need to create a new virtual machine and install a Linux distro of your choice on it. It doesn't really matter which distro your go with, but for simplicity's sake I'd recommend Ubuntu Server Edition. However, if your physical system has enough resource, it would be bennificial to install a 64 bit version. You can always compile for 32 bit systems on a 64 bit system, but not the other way around.

Now you need to either follow the directions found here to compile tor in a chroot, or you can use this script that I wrote to do it for you. Note that the script was only tested on an Ubuntu 14.04 i686 system, so your milage may vary on other distros. Also note that every script I've ever gotten off github for this particular task failed when I ran it, so I won't be surprised if mine fails for you as well. The script also actually creates a functional tor chroot, which is not really necessary if you just want to compile it for use on other systems. If you follow the directions on the tor project site, after you verify that your tor chroot works, just run:

sudo cp -R -p $TORCHROOT /tmp/tor-chroot
sudo tar -zcvf ~/tor-chroot.tar.gz /tmp/tor-chroot
And you will have a tar.gz archive that you can simply extract on any Linux server and run. Of course, you will have to add the tor user to that system first

sudo useradd -d /home/tor -s /bin/false tor

After that's done, you can just run this command to start it:

sudo chroot $TORCHROOT /tor/bin/tor

And finally, follow the instructions on the tor site to create an init script if you want. This process could be used to create chroots for other programs as well. One last recommendation, record the sha512sum of the resulting archive and also sign it with your gpg key so that you can later verify it's integrity.