Anonymous Services - Can We Get A List Going And Feedback?

Thank you

That's just a paraphrase of the statements in /etc/shorewall/policy and /etc/shorewall/rules. I gather that one specifies what's permitted, and also what's blocked. If you believe that's overkill, please provide an authoritative cite. Anyway, in /etc/shorewall/policy ...

Block this machine from accessing NET ZONE, except for exceptions in /etc/shorewall/rules
Allow this machine to access the VPN ZONE for everything
Block anything from the NET ZONE to all other zones
Block everything else

... and, in /etc/shorewall/rules ...

Allow this machine to connect to any openvpn server using udp port 1194

Yes, XeroBank's instructions for hardening the VPN in Windows assign a valid static IP to the physical NIC, but specify no DNS server for it. Once the VPN has been established, there's no need for DNS lookups, so everything's fine. If the VPN goes down, connections to URLs will fail, because there's no DNS server available (except for anything local, of course). However, connections to numeric IP addresses will succeed, because no DNS server is needed.

Sorry, typo. Make that "NIC-specific rules". The Windows 7 firewall can do that ...

http://technet.microsoft.com/en-us/library/cc754893(WS.10).aspx

The goal is preventing all traffic through physical NICs/interfaces/connections except for the encrypted traffic with the OpenVPN server that implements the VPN. I rather thought that was obvious by now.

So do I

 

When I said, what other outbound traffic and responses are there that need blocking, I meant what other types of traffic might happen over a VPN connection that we need to take some sort of action against?

Most people like myself assumed that when you run OpenVPN, that there is no other traffic that this is the purpose of VPN, to make and allow only this one connection from client to server and nothing else. Now we're making it seem like it's not and we need to block other traffic that can happen over this VPN connection.

Can you please show a link to the XeroBank's instructions for hardening the VPN?

What if you're on XP and use one of the many software firewalls out there, are any of them able to make nic specific rules? And is there any info out there online you can show us about this and making these types of rules?

I also wasn't talking about the obvious, I'm well aware of what it is we are trying to do here, but many people seem to be under the assumption that by installing and using OpenVPN as an example security is already in place and there isn't much an end-user needs to do.

Even myself I look at it like this, why make a client like OpenVPN if you can't even add in certain security measures like some of these we are discussing.


THANKS

 

A "VPN connection" is just a connection to some other network. For "anonymous VPNs", that's a connection to some network with access to the internet. You don't control what's on it. So, at a minimum, you want to block all inbound traffic that's not responses to your outbound traffic. Most all modern operating systems come with such firewalls, and you may want to ensure that they're enabled. You can also set rules for outbound traffic through the VPN. And, of course, the VPN will also be firewalled, to regulate what you can do through it.

Most VPN providers are probably not going to hack you. And you never know. It's better to be safe than sorry, right?

https://xerobank.com/support/articles/how-to-prevent-vpn-dns-leaks/
https://xerobank.com/support/articles/how-to-harden-openvpn-in-12-easy-steps/

Windows 7 -- I posted the URL yesterday.
Symantec Endpoint Protection does.
For others, Google is your friend.

OpenVPN does some of that, and various VPN providers go further to some extent, and ultimately, you're responsible for your own security. That's especially so if it really matters.

Why not ask them?

De nada.

 

Ok, I'm aware of the VPN, so we are more concerned with just blocking incoming requests on the VPN connection correct? Best to be safe and block all incoming requests other then legitimate VPN requests, but if you don't even know what those are, just block everything inbound correct?

Ok for the sake of ease here for everyone I think it's best if we can simply post links for OpenVPN client security for people to follow and since you already posted two links, would there be any others you know of, or that pretty much covers it? But the firewall part at Xerobanks is just for Linux, so might be nice if someone knows of anything for Windows...

By the way I did send in an email to OpenVPN asking about all this. Seems kind of odd to give a client to end-users and not make something for options for the newer user to harden it easier, or at least an online HowTo somewhere on OpenVPN for getting started with just the client securing it for users that connect to a VPN, like many of the anonymity services online...


Thanks hierophant

 

The xB shorewall config lines block all incoming requests on the VPN. Although there might be legitimate server messages -- such as "I'm about to reboot" or whatever -- the connection seems fine without them.

Not me. Sorry.

Thanks. And remember, OpenVPN is for all VPN connections, and you generally trust the server that you're connecting to.

пожалуйста!

 

I don't know exactly. Just way faster than it use to be. It depends on the connection that you get too. And I guess there is a way to control that.

 

Well I installed Shorewall and OpenVPN in my Slackware box.

Thank goodness for a single box Shorewall comes with some samples that work out the box to give you the basics. Can't say I want to spend my life making iptables rules, LOL...

Now all I have to do is find a nice VPN service I like, yeah still looking, LOL...

Then I'll follow those steps on Xerobanks site to harden it....

 

There is much depth there, for sure

How would you know whether you liked it? I'm serious.

They do seem to work. Also, FWIW, they were my introduction to iptables.

 

Well all I'm looking for is decent speeds and the privacy, I think like most people.

SwissVPN had nice speeds just that they log the session IP, so I wasn't thrilled about that.

My gut feeling tells me Sweden is the way to go because of all the pirates there up in arms, so Sweden ended up starting a lot of VPN services to fight back and have their privacy. So personally I think this might be a good bet to go VPN in Sweden...

Going to have to keep our eyes on Ipredator and see what comes of that...

 

Yep. Ipredator sounds about right to me. Maybe I'll take that one for a spin myself.

 

Problem is for me, since this is one of the co-founders of Pirate Bay is all I know, not sure if there are more Pirate Bay members, I think this makes them a very open target, or at least eyes will possibly be on them.

Ok, so we know these guys Mullvad and I listed Relakks, lets get a list going for Swedish VPN services.

Here's what else I've found;

Anonine
https://www.anonine.com/en

VPNtunnel (Read on http://www.start-vpn.com/vpn-providers/vpntunnel/vpntunnel/ that they might be a part of another network is all).
https://www.vpntunnel.se/en/

 

This is a very positive discussion. I certainly don't want to throw cold water on anyone's parade. But if we're going to talk about Swedish services, might want to consider their seemingly immanent move towards EU Data Retention Compliance:

http://www.thelocal.se/30150/20101111/

http://www.thelocal.se/29854/20101027/

I am a Countermail subscriber. They are based in Sweden. Out of concern, I sent an email today to Countermail support regarding the proposed legislation and received the following reply:

"Hi,

They have proposed a law that will force us to store the IP-numbers,
sender-address and the receiver-address. The contents of the email will still be encrypted, and only readable by the owner.

But we will probably move our servers to another country to avoid the
IP-collection. This law is supposed to come into force July 1st next year. We
will give more information about this as soon as we know the final result.

Best Regards

Countermail Support"

Privacy and anonymity seem tougher and tougher to pull off no matter where one goes these days. So much to consider...

 

You're not raining on any parade...

This is for ISP and since a VPN service is not an ISP from what I was told by a few VPN services they are not affected.

 

$10.00 a month
$80.00 a year
$15.00 a month High Priority
$120.00 a year High Priority
http://www.atenlabs.com/zipline/

ZombieHacking is pretty cool too.
Where can I find a cheat sheet?

 

Zipline, it looks ok, but their contact section doesn't even work...

OOPS! You forgot to upload swfobject.js ! You must upload this file for your form to work.

Not having any part of your site not working like this is not professional at all and I take note of all these things when looking over a site, it's layout and function. To me this is not professional and I'll pass...

Thanks for sharing the info though Searching...

By the way who or what is ZombieHacking?

 

does anyone know what program has the largest pool of US based proxies?

I'm looking for one that has different areas and doesn't have the first 2 numbers the same (ie- 25.144.71.59 and 25.144.68.21 would link to same area) I'm currently trying 'easy hide ip' (trial) and it seems pretty good...not sure if their pay subscription has a bigger pool of proxies though.

 

Tor easily wins when it comes to numbers but I'm not sure why you'd want many IPs. It doesn't improve your anonymity at all.

 

Well I contacted Ipredator two days ago and no word back, so to me this isn't looking very professional when you can't give a reply back in 1-2 days.

So I wrote them again, let's see if they reply now in a timely manner.

Also anyone had any contact with them?


THANKS

 

Does TOR do IPv6?

@DasFox

ZombieHacking is the art of Neuroliguistic Programming.
At the atenlabs site there is a cool vid about 8 minute cartoon titled ZombieHacking.
Also see Derren Brown [noparse]http://www.youtube.com/watch?v=3Vz_YTNLn6w[/noparse]

 

Not officially at least, I see there's a patch from 2007...
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#TorshouldsupportIPv6.

 

Ok wasn't sure what that had to do with Anonymous Services....

 

If you can NLP a person to do something for you you can remain anonymous.

 

Well this might technically fall some what under as an Anonymous type of service(s)

Freenet;
http://freenetproject.org

 

is there anyway to pick the network proxy in tor? or atleast set it to US proxies only?

 

I think Jondo and Tor are complementary. E.G. Jondo's nodes are much more trustable than theTor ones. But on the other side there are much more Tor nodes

Great feature: The beta jondo client allows to connect to the Jondo cascade through Tor, according to:

You -> Tor -> Jondo entry Mix -> Jondo Exit mix -> internet

The Jondo entry Mix doesn't know you, as it only sees Tor exit's IP.

And Tor exit node can't snif your trafic, because this trafic is encrypted by the jondo client.


This scheme combines the advantages of each network.



NB: Concerning Linkideo: It's a Jersey company, and the vpn servers are located in NL, FR, US, and (I think) UK. They provide PPTP and Openvpn.