install TOR on a centOS 7 server - linux

I have tried downloading TOR by following this article but I am getting 503 errors. So is there no other way to download TOR? Please can someone help me as I have to do a research project on it.
I am using a centOS server: CentOS Linux release 7.3.1611 (Core)
but am getting the follwing errors,
[sam#xx etc]$ sudo yum install tor
[sudo] password for sam:
Loaded plugins: fastestmirror, langpacks
base | 3.6 kB 00:00
extras | 3.4 kB 00:00
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.
http://deb.torproject.org/torproject.org/rpm/el/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 503 - Service Unavailable
Trying other mirror.


Tor no longer recommends using their repo for CentoOS and to instead use epel repos. You'll just end up with a very old version out of their repos.
Instead do:
yum install epel-release
yum install tor
This will get you a current version of Tor managed by a repo. This is perfectly fine.
For CentOS, I have been self-compiling for a while. I have a hacky shell script I'm not yet willing to post here ;) but really it's just compiling Tor and OpenSSL. I'd still recommend using the epel-release since its more tested.
To try building Tor statically linked to OpenSSL yourself, grab a recent copy of OpenSSL (e.g. 1.1.1x), then grab the version of Tor you want to build (e.g. 0.4.1.6).
First you will need to install some prerequisites:
yum install -y \
gcc gcc-c++ \
zlib-devel \
perl-Module-Load-Conditional perl-Test-Harness \
libevent-devel \
libzstd-devel xz-devel \
libscrypt-devel libseccomp-devel
From OpenSSL source dir:
./config --prefix=/opt/openssl --openssldir=/opt/openssl \
-fPIC zlib-dynamic no-shared enable-ec_nistp_64_gcc_128
make
make test
make install
OpenSSL 1.1.1 note: Remove the no-shared option when building OpenSSL, otherwise Tor configuration will fail with an error that it can't find a linkable OpenSSL even though it is being built statically. Tor will still link a static OpenSSL but it seems to require the shared libraries to work. This appears to be fixed in 1.1.1c and later.
This installs OpenSSL to /opt/openssl so it doesn't interfere or replace the system's OpenSSL.
Then, build Tor:
./configure --prefix=/opt/tor-VERSION --sysconfdir=/etc --localstatedir=/var \
--enable-static-openssl --with-openssl-dir=/opt/openssl \
--with-tor-user=tor --with-tor-group=tor \
--enable-lzma --enable-zstd
make
make test
make install
unlink /usr/bin/tor && ln -s /opt/tor-VERSION/bin/tor /usr/bin/tor
The systemd service file I use is:
[Unit]
Description=Anonymizing overlay network for TCP
After=syslog.target network.target nss-lookup.target
[Service]
Type=forking
PidFile=/var/run/tor/tor.pid
NotifyAccess=all
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor -f /etc/tor/torrc --RunAsDaemon 1
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutStartSec=120
TimeoutStopSec=60
Restart=on-failure
LimitNOFILE=65536
# Hardening
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
[Install]
WantedBy=multi-user.target

Related

Problem curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

i have problem to run script on kindle reader. i did jailbrake on it and it shows me system version
Linux kindle 2.6.31-rt11-lab126 #5 Sat Jan 12 20:39:09 PST 2013 armv7l unknown
the problem is with running the script to download the png image
curl https://kindle-pindle.herokuapp.com/ -o status.png
an error is returned
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
I read that it's probably about a bad version of curl but I can't do anything to install a new version because there is no apt-get or sudo in systm so I don't know how to do it
are there maybe other ways to deal with this?

The target site requires at least TLS 1.2. Given the age of what you are running (according to the kernel version) this is likely not supported by the TLS stack on your device.
There is probably no way to download the file directly from the device though. You should be able to download the file on a different device and transfer it to the device though or maybe redistribute it through your own web server which has TLS 1.0 enabled.

Cannot access cdn.redhat.com from my Linux VM. please find the attached screenshot and provide me the solution

[root#localhost ~]# yum install ksh
Updating Subscription Management repositories.
Last metadata expiration check: 22:24:52 ago on Tue 25 May 2021 01:12:00 AM EDT.
Dependencies resolved.
Package Architecture Version Repository Size
Installing:
ksh x86_64 20120801-254.el8 rhel-8-for-x86_64-appstream-rpms 926 k
Transaction Summary
Install 1 Package
Total download size: 926 k
Installed size: 3.2 M
Is this ok [y/N]: y
Downloading Packages:
[MIRROR] ksh-20120801-254.el8.x86_64.rpm: Curl error (7): Couldn't connect to server for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/Packages/k/ksh-20120801-254.el8.x86_64.rpm [Failed to connect to cdn.redhat.com port 443: No route to host]
[MIRROR] ksh-20120801-254.el8.x86_64.rpm: Curl error (7): Couldn't connect to server for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/Packages/k/ksh-20120801-254.el8.x86_64.rpm [Failed to connect to cdn.redhat.com port 443: No route to host]
[MIRROR] ksh-20120801-254.el8.x86_64.rpm: Curl error (7): Couldn't connect to server for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/Packages/k/ksh-20120801-254.el8.x86_64.rpm [Failed to connect to cdn.redhat.com port 443: No route to host]
[MIRROR] ksh-20120801-254.el8.x86_64.rpm: Curl error (7): Couldn't connect to server for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/Packages/k/ksh-20120801-254.el8.x86_64.rpm [Failed to connect to cdn.redhat.com port 443: No route to host]
[FAILED] ksh-20120801-254.el8.x86_64.rpm: No more mirrors to try - All mirrors were already tried without success
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Error downloading packages:
Cannot download Packages/k/ksh-20120801-254.el8.x86_64.rpm: All mirrors were tried

Docker container always shows ssl connection error

I'm getting started with docker compose and have been working through the simple demo flask application. The thing is, I'm running this from inside of an organization that intercepts all communication in such a way that SSL errors are thrown right and left. They provide us with three root certificates we need to install, and I've generally got these working on my own machine, but I'm lost when it comes to getting these to work inside docker-compose deployments.
When I run docker-compose up, I get the following:
$ sudo docker-compose up
Creating network "project_default" with the default driver
Building web
Step 1/5 : FROM python:3.4-alpine
3.4-alpine: Pulling from library/python
81033e7c1d6a: Pull complete
9b61101706a6: Pull complete
415e2a07c89b: Pull complete
f22df7a3f000: Pull complete
8c16bf19c1f9: Pull complete
Digest: sha256:fe436cb066394d81cf49448a04dec7c765082445a500bc44f1ae5e8a455793bd
Status: Downloaded newer image for python:3.4-alpine
---> 5c72717ec319
Step 2/5 : ADD . /code
---> a5790c0e3e94
Removing intermediate container 052c614e41d0
Step 3/5 : WORKDIR /code
---> a2ea9acb3005
Removing intermediate container 77f2375ca0a6
Step 4/5 : RUN pip install -r requirements.txt
---> Running in 5f4fe856776d
Collecting flask (from -r requirements.txt (line 1))
Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1d30>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
Retrying (Retry(total=3, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f19b0>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
Retrying (Retry(total=2, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1828>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
Retrying (Retry(total=1, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1588>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
Retrying (Retry(total=0, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1390>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
Could not find a version that satisfies the requirement flask (from -r requirements.txt (line 1)) (from versions: )
No matching distribution found for flask (from -r requirements.txt (line 1))
Pip fails to install anything.
The docker-compose.yml file looks like this:
version: '3'
services:
web:
build: .
ports:
- "5000:5000"
redis:
image: "redis:alpine"
And the main Dockerfile looks like this:
FROM python:3.4-alpine
ADD . /code
WORKDIR /code
RUN pip install -r requirements.txt
CMD ["python", "app.py"]
Is there any way to be able to make this work in this particular case? Is there a general solution to this sort of problem that would allow me to pass to any container deployed the SSL certificates and have them be used?

In my case, I must add in my Dockerfile these sentences:
COPY company.crt /usr/local/share/ca-certificates/company.crt
RUN update-ca-certificates
...
RUN pip install --cert /etc/ssl/certs/company.pem -r requirements.txt
You need the certificate of your company in .crt format. When docker execute update-ca-certificates, linux will create a .pem file with the same name in the path: /etc/ssl/certs/. It will convert the network between pip in SSL.

This isn't really a docker-specific question: you are asking, in effect, "how do I install certificate authorities under Linux"? The answer is going to be the same regardless of whether you are running your ssl client inside or outside of a container.
Your Python image is based on alpine, and alpine uses the "ca-certificates" package to manage CA certificiates. To install your local CA certificates, you would need to (a) copy them into the /usr/share/ca-certificates directory and (b) run update-ca-certificates.
For example, adding something like this to your Dockerfile (before your pip install):
COPY company-ca.crt /usr/share/ca-certificates
RUN update-ca-certificates

In my case, Host machine's MTU is 1450, and Docker's MTU is 1500.
Which causes docker set MSS to 1460, and then TLS "server hello" packet got bigger than 1450 bytes, so the Host machine discard it.
To see if it's your case too, run ifconfig on both you Docker container and your host machine. If Host's MTU is less than 1500, it's easy to run into this discarding packet situation. Especially in HTTPS, for that "server hello" needs to send the certificate, which is a big packet

I was trying to read data from an API in my Go code and I was facing similar ssl error:
x509: certificate signed by unknown authority
My container was based on debian:stretch which is really really small ~100MB.
This happens when ca-certificates are not installed.
I installed ca-certificates (which also installs openssl) as shown below:
FROM debian:stretch
RUN apt-get update && apt-get install -y ca-certificates --no-install-recommends && rm -rf /var/lib/apt/lists/*
# ...
This will also work for any other base images which might not have ca-certificates installed.

DataStax opscenterd won't start on Ubuntu 15.04 x64

Issue:
sudo service opscenterd start
Failed to start opscenterd.service: Unit opscenterd.service failed to load: No such file or directory.
(ERROR)-(Exit Code 6)-(Unknown error code)
sudo service opscenterd status
opscenterd.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
Config
[webserver]
port = 8888
interface = 0.0.0.0
I tried another port and ip (localhost)
Cassandra installed and running (dsc21, cassandra 2.1.10)
no log files been generated in /var/log/opscenter/
opscenter installed via apt-get (5.2)
Please help me to resolve this issue

I have the same issues as you, seems like OpsCenter could not run as service on Ubuntu 15, I went running it as background process and it works,
try:
$ sudo your_opscenter_install_path/bin/opscenter
hope helpping

GPG Error Updating Ubuntu/Debian Packages

I am attempting to update my Ubuntu/Debian system and I am getting an error:
GPG error: http://deb.opera.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E585066A30C18A2B
What does it mean, and how can I resolve it?

Try following approach, is from there
The error NO_PUBKEY E585066A30C18A2B is the key for the Opera web
browser. To correct the error, run the following code.
wget -O - http://deb.opera.com/archive.key | apt-key add -

sudo wget -O - http://deb.opera.com/archive.key | apt-key add
--2016-09-24 09:42:48-- http://deb.opera.com/archive.key
Resolving deb.opera.com (deb.opera.com)... 185.26.183.130
Connecting to deb.opera.com (deb.opera.com)|185.26.183.130|:80... connected.
HTTP request sent, awaiting response... ERROR: This command can only be used by root.
200 OK
Length: 3152 (3,1K) [application/pgp-keys]
Saving to: ‘STDOUT’
- 0%[ ] 0 --.-KB/s in 0s
Cannot write to ‘-’ (Broken pipe).

Newer versions of apt also support
apt-key adv --fetch-keys https://deb.opera.com/archive.key
instead of
wget -qO - https://deb.opera.com/archive.key | apt-key add -
Additionally, you should always use https when loading the key.

Resources