Help w/ mining w/o leaking (Tor config)


#1

My goal is to minimize network exposure that I mine Zcash. I'm posting here because it is more important to me that I help other people do this. I've been spending the day trying to get this to work on a new install of Debian 8.6, but there is more going on "under the hood" than I know how to control. Below is a partial configuration, but I need assistance.

re: https://github.com/zcash/zcash/wiki/Beta-Guide

This is the initial update and then the install of Tor and Uncomplicated Firewall:

$ sudo apt-get update && sudo apt-get install tor apt-transport-tor ufw

Add these rules to allow incoming ssh and only allow outbound ssh, DNS, and Tor. It will prevent most non-Tor (80/443) leaks, mainly targeting things like "git clone", "wget", and further "apt-get" app disclosures:

$ sudo ufw limit 22/tcp && sudo ufw allow out 22/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose

Use only these apt sources and torify them (per onion.debian.org):

$ sudo vim /etc/apt/sources.list

deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main

Now install the Zcash dependencies:

$ sudo apt-get install build-essential pkg-config libc6-dev m4 g++-multilib autoconf libtool ncurses-dev unzip git python zlib1g-dev wget bsdmainutils automake

Configure Tor:

$ sudo vim /etc/tor/torrc

SocksPort 9050
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22

Clone Zcash from Github using Tor:

$ torsocks git clone https://github.com/zcash/zcash.git

$ cd zcash/

$ git checkout v1.0.0-beta2

Edit one line in the shell script to wget using Tor:

$ vim ./zcutil/fetch-params.sh

torsocks wget \

$ ./zcutil/fetch-params.sh

This is where I get stuck. With my UFW rules, this fails. I can't determine where there is further external communication / downloading. If I disable my outbound rules then the compile works fine.

$ ./zcutil/build.sh -j$(nproc)

I also saw that @ageis has posted "addnode=zctestseie6wxgio.onion", but i'm not yet sure where that will go.

Overall, I am surprised that Zcash has not yet documented this. This type of config is critical info, especially right at the beginning of it going live and having spent so much time in beta.

Cheers


#2

I'm curious why you're so worried about publicly mining?


#3

The less the enemy knows, the better.

The way the vast majority of internet users not only leak information about themselves but actually broadcast it is utterly careless.


#4

I'm bumping this posting because I feel (even though I admit that my knowledge and familiarity of this topic is limited) that this is an important issue.

Risks of de-anonymization with zcash and zcash mining should be better explained to teh n00bz (like me) when TOR is not used in conjunction with ZEC acquisition.


#6

Same here, I tried running it through torsocks but it's complaining about listening ports.

Any progress on this?