Anonabox has had a very chequered past, and by far it isn’t the best VPN router on the market. However, it’s not intended to be.
Indeed, Anonabox was created with a single purpose. To create a portable Tor client to access the internet more securely. Being able to run a VPN service on it, is just a bonus. We recommend reading this full Anonabox review before you decide to purchase one, however, if you’re interested you can purchase it using the link below.
History of the Anonabox
Before we go on, we must state that the Anonabox has had much of a chequered past. It was originally launched on Kickstarter and raised over $500,000 within a week. Unfortunately, it was quickly discovered that its hardware and software are very similar to products you can already purchase online. This was then followed by the discovery of a vulnerability. With all of that happening, Kickstarter decided to pull the campaign.
Despite its initial pitfalls, Anonabox was purchased by a third party company and it still alive and well. There are currently four different devices for sale: the Original, the Anonabox Pro, the Fawkes, and the Tunneler. Due to the number of iterations that they go through, if you’re reading user reviews it’s important
Tor on a Router
The Anonabox product is essentially a Tor router. Tor has the following mainstream issues:
- It’s complicated to set up
- It’s not portable
- Not available on all OS
By running Tor on a router you overcome all of these issues. Thereby making the Anonabox a fantastic little tool for privacy.
Of course, a similar result can be achieved with a VPN router. Unfortunately, most VPN routers aren’t portable, though that isn’t to say they don’t exist.
What is Tor?
We won’t go into too much detail about Tor. However, in short, it’s a system that helps users keep private and anonymous by routing it through multiple layers. This is where it got its name – The Onion Router. As it goes through each layer another level of encryption is also added, making your data impossible to decrypt.

When a user connects to the Tor network, their connection is routed through a random set of at least three nodes. Once the connection goes through these relays, it will reach its final destination – the website you wish to visit. Incoming traffic is handled similarly to the outgoing traffic. Usually, this happens through the Tor browser, but with the Anonabox it handles it through your router.
While the TOR network is heavily developed by the US government, the nodes themselves are run by individuals make the system a lot more secure.
Tor vs VPN?
Tor and VPN both help protect your online anonymity and privacy. Unfortunately, while Tor has its positives, it can be extremely slow and a hassle to use. A secure and reliable VPN can offer you a similar level of protection without the drastic speed loss.
There are also Tor VPN services but that’s a more complicated topic, and for those that are extremely paranoid about their online security.
Physical Looks and Function
All versions of the Anonabox come is a small form factor router that’s the size of a cigarette box. All it requires to run is a USB port for power. Alongside this, you need an ethernet cable to be able to connect it to a network. Luckily most airports and hotels have ethernet ports that you can use.

Setup and Usage
Using the Anonabox is extremely straight forward. Just follow these steps.
- Connect it to power. Either through your computer or a power socket.
- Connect it to the internet using the Ethernet port
- Connect to the new WiFi network using the password provided
- That’s it, your wireless network is now protected by Tor
Some versions of the Anonabox also support the use of a VPN such as VyprVPN or HMA. The Anonabox interface also makes it easy to set these up. Their user manual clearly outlines the steps for you to follow, but in short, it’s as follows.
- Log in to your Anonabox web interface
- Navigate to Network -> VPN
- Enter your username and password for your VPN and select the location you wish to use.
- Connect
- Now all of your data is protected by a VPN and Tor
Anonabox vs InvizBox
As mentioned at the start of this article, there are a lot of devices similar to Anonabox on the market, and even on Amazon. One of the most popular competitors is InvizBox. While the two seem to offer much of the same we’d recommend InvizBox as they seem to keep the product and website more up to date.
Conclusion
In conclusion, Anonabox is a very niche device. In our personal opinion, we’d avoid using it. While it’s relatively cheap and could be a useful device, on the whole the unstable past and present of the company discourages us from using it.
Anonabox Analysis
The following is research carried out by Lars Boegild Thomsen on the vulnerability of the original Anonabox. He found a number of deep tech issues embedded within the system and made a note of them. This section is intended to serve as an archive and should you have any questions relating to it you should email Lars directly as most of it is too technical even for us.
The Anonabox is, according to their website:
anonymity in a box
Anonabox is a Tor hardware router for increased online privacy &
anonymity. This pocket size device offers a plug-and-play solution
to route ALL of your network traffic over the Tor network. You
heard that right, no software to install, no activation, & no
registration. Just plug it in and start cloaking your online activity.
The website contains absolutely no links to any kind of documentation, source code or any other technical documentation, so I simply had to have a poke around the insides of this little router.

Initial Assessment
After plugging the wan port of the Anonabox into my lan and powering up the device, a new access point showed up on my phone:

I am guessing that “anbx1424833770” is the access point I should be using. Connecting to that access point, the first thing that is noticeable is the allocated IP address:

126.16.2.128? Now there is a new one! A quick search on whois show:
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '126.0.0.0 - 126.255.255.255'
inetnum: 126.0.0.0 - 126.255.255.255
netname: BBTEC
descr: Japan Nation-wide Network of Softbank BB Corp.
country: JP
admin-c: SA421-AP
tech-c: SA421-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-JP-BBTECH
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20050208
changed: [email protected] 20081031
source: APNIC
role: SoftbankBB ABUSE
address: Tokyo Shiodome bldg., 1-9-1, Higashi-Shimbashi, Minatoku,Tokyo
country: JP
phone: +81-3-6688-5120
e-mail: [email protected]
remarks: Please send spam report,virus alart
remarks: or any other abuse report
remarks: to [email protected]
remarks: Any other Information, Notice,
remarks: Please send to [email protected]
admin-c: ST222-AP
tech-c: ST222-AP
nic-hdl: SA421-AP
notify: [email protected]
mnt-by: MAINT-JP-BBTECH
changed: [email protected] 20081030
source: APNIC
changed: [email protected] 20111114
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)
Now, there is a novel approach? Instead of using the 3 ranges of IP addresses that are allocated to private use, just grab a random one and use that. I guess it could be argued that since this device route everything through Tor, it really doesn’t matter all that much. But it still seems rather pointless and I can’t image why on earth that decision was made.
Very well, second test would be to check if Tor is working:

It would appear so because that is definitely not my public IP. A further quick check at https://check.torproject.org show:

So yeah, the Anonabox appears to be working but it is downright shocking that the WiFi connection is running unencrypted. Anybody within range of the Anonabox can connect to the network and sniff all network traffic.
Normally, OpenWrt (which the Anonabox is based on) is running a web-based user interface that will enable the user to change the device configuration. Pointing the browser to:
resulted in – well – absolutely nothing. In other words, there doesn’t appear to be any way whatsoever that a user can make this security device – well – ahem – secure.
Breaking and Entering
In order to figure out how to get in to the box, I hooked it’s LAN port up to my LAN. I hardcoded my IP address as:
126.16.1.2/24
And sure thing – I could now ping the Anonabox:
root@ncpws04:~# ping 126.16.2.1
PING 126.16.2.1 (126.16.2.1) 56(84) bytes of data.
64 bytes from 126.16.2.1: icmp_seq=1 ttl=51 time=132 ms
64 bytes from 126.16.2.1: icmp_seq=2 ttl=51 time=136 ms
Next step was to see if there was any ports open:
root@ncpws04:~# nmap -O -p- 126.16.2.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:05 MYT
Nmap scan report for softbank126016002001.bbtec.net (126.16.2.1)
Host is up (0.13s latency).
All 65535 scanned ports on softbank126016002001.bbtec.net (126.16.2.1) are filtered
Too many fingerprints match this host to give specific OS details
Network Distance: 13 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1034.15 seconds
So far it would appear that the Anonabox is locked down pretty tightly – except the unencrypted WiFi obviously. Apologies to bbtec.net, but I _really_ didn’t scan their public IP 🙂
However, since the box is running a Linux Kernel and OpenWrt, IPv6 should be enabled by default. Since “Tor” is not supporting IPv6 at all it seemed quite likely that the Anonabox came with the default IPv6 firewall and a working link local address. Fortunately, as can be seen on the photo at the start of this page, the Anonabox came with the MAC address of at least one interface conveniently labelled on the box.
Using:
https://ben.akrin.com/ipv6_mac_address_to_link_local_converter/?mode=api&mac=0C:EF:AF:CA:14:82
The link local address of one interface should be:
fe80::eef:afff:feca:1482
Trying to ping that:
lth@ncpws04:~$ ping6 fe80::eef:afff:feca:1482%eth0
PING fe80::eef:afff:feca:1482%eth0(fe80::eef:afff:feca:1482) 56 data bytes
From fe80::e2cb:4eff:fe3e:11c6 icmp_seq=1 Destination unreachable: Address unreachable
A device running OpenWrt is likely to have more than one interface, and it is likely that the MAC addresses are allocated in series, so poking around a bit more resulted in:
lth@ncpws04:~$ ping6 fe80::eef:afff:feca:1481%eth0
PING fe80::eef:afff:feca:1481%eth0(fe80::eef:afff:feca:1481) 56 data bytes
64 bytes from fe80::eef:afff:feca:1481: icmp_seq=1 ttl=64 time=0.483 ms
Time to do a port scan on that address:
root@ncpws04:~# nmap -O -p- fe80::eef:afff:feca:1481%eth0
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:24 MYT
fe80::eef:afff:feca:1481/0 looks like an IPv6 target specification -- you have to use the -6 option.
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.47 seconds
root@ncpws04:~# nmap -O -6 -p- fe80::eef:afff:feca:1481%eth0
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:24 MYT
Nmap scan report for fe80::eef:afff:feca:1481
Host is up (0.00042s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
32891/tcp open unknown
MAC Address: 0C:EF:AF:CA:14:81 (Unknown)
No OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.47%E=6%D=4/6%OT=53%CT=1%CU=32856%PV=N%DS=1%DC=D%G=Y%M=0CEFAF%T
OS:M=55226A8B%P=x86_64-pc-linux-gnu)S1(P=6000{4}280640XX{32}0035e8651164f1
OS:208799aafba0126f9066330000020405a00402080a00134370ff{4}0103{3}%ST=0.091
OS:935%RT=0.292415)S2(P=6000{4}280640XX{32}0035e8660e698b728799aafca0126f9
OS:0ced00000020405a00402080a0013437aff{4}0103{3}%ST=0.192034%RT=0.292466)S
OS:3(P=6000{4}280640XX{32}0035e867d93a8a928799aafda0126f9007d40000020405a0
OS:0101080a00134384ff{4}0103{3}%ST=0.291967%RT=0.492329)S4(P=6000{4}280640
OS:XX{32}0035e868e7cd66498799aafea0126f901a7d0000020405a00402080a0013438ef
OS:f{4}0103{3}%ST=0.391912%RT=0.492353)S5(P=6000{4}280640XX{32}0035e869934
OS:2bc5a8799aaffa0126f9018eb0000020405a00402080a00134398ff{4}0103{3}%ST=0.
OS:491897%RT=0.633643)S6(P=6000{4}240640XX{32}0035e86a9a64cf298799ab009012
OS:6f9012f80000020405a00402080a001343a2ff{4}%ST=0.591902%RT=0.633666)IE1(P
OS:=6000{4}803a40XX{32}8109c161abcd00{122}%ST=0.633072%RT=0.831159)IE2(P=6
OS:000{4}583a40XX{32}0401c2b300{3}38600123450028003bXX{32}3c00010400{4}2b0
OS:0010400{12}3a00010400{4}8000c2e1abcd0001%ST=0.682893%RT=0.831209)NS(P=6
OS:000{4}183affXX{32}8800d5e3c000{3}XX{16}%ST=0.781307%RT=0.831241)U1(P=60
OS:00{3}01643a40XX{32}010457f300{4}6001234501341128XX{32}e7ef805801341ac84
OS:3{300}%ST=0.830545%RT=1.02953)TECN(P=6000{4}200640XX{32}0035e86b77b74f9
OS:38799ab01801270800b060000020405a0010104020103{3}%ST=0.880458%RT=1.02957
OS:)T4(P=6000{4}140640XX{32}0035e86e8efa74dc00{4}50040000b2590000%ST=1.724
OS:75%RT=1.72507)T5(P=6000{4}140640XX{32}0001e86f00{4}8799ab055014000083b4
OS:0000%ST=1.07879%RT=1.7251)T6(P=6000{4}140640XX{32}0001e870953287b900{4}
OS:5004000099760000%ST=1.12803%RT=1.72511)T7(P=6000{4}140640XX{32}0001e871
OS:00{4}8799ab075014000083b00000%ST=1.1772%RT=1.72511)EXTRA(FL=12345)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6573.41 seconds
That took a while, but it was well worth it. First of all port 80 is open. Unfortunately, I believe ‘lynx’ is the only browser that support link local addresses, so:
lynx http://[fe80::eef:afff:feca:1481%eth0]

While Lynx is pretty cool it is a bit tedious to use. Fortunately there is a tool called tcpproxy, that will proxy between IPv4 and IPv6 addresses:
lth@ncpws04:~/src/tcpproxy/src$ ./tcpproxy -D -t ipv4 -p 8087 -r fe80::eef:afff:feca:1481%eth0 -R 6 -o 80

By default, OpenWrt doesn’t come with a password and that will be prominently displayed on the login page of Luci. In other words, the Anonabox has got a root password hard coded. And the root password is – I am not joking: “admin” (that took me 4 attempts, I think I tried root, anonabox, 12345678 and a few other first):

By now we know the root password and we got the web interface, so we could change that port zero for dropbear. But hold on – go back and check the port scan I did earlier – something listening on port 32891. Could it be – surely not:
lth@ncpws04:~$ ssh -p 32891 root@fe80::eef:afff:feca:1481%eth0
The authenticity of host '[fe80::eef:afff:feca:1481%eth0]:32891 ([fe80::eef:afff:feca:1481%eth0]:32891)' can't be established.
RSA key fingerprint is 48:2d:c9:93:ab:39:c9:b7:55:52:71:a2:8e:56:e7:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[fe80::eef:afff:feca:1481%eth0]:32891' (RSA) to the list of known hosts.
root@fe80::eef:afff:feca:1481%eth0's password:
BusyBox v1.22.1 (2014-11-29 06:25:27 PHT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
█████╗ ███╗ ██╗ ██████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗
██╔══██╗████╗ ██║██╔═══██╗████╗ ██║██╔══██╗██╔══██╗██╔═══██╗╚██╗██╔╝
███████║██╔██╗ ██║██║ ██║██╔██╗ ██║███████║██████╔╝██║ ██║ ╚███╔╝
██╔══██║██║╚██╗██║██║ ██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██╔██╗
██║ ██║██║ ╚████║╚██████╔╝██║ ╚████║██║ ██║██████╔╝╚██████╔╝██╔╝ ██╗
╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚═╝ ╚═╝
v2.1 ___,,___
_,-='=- =- -`"--.__,,.._
,-;// / - - - -= - "=.
,'/// - - - = - ==-=\`.
|/// / = `. - = == - =.=_,,._ `=/|
/// - - \ - - = ,ndDMHHMM/\b \\
,' - / / / /\ = - /MM(,,._`YQMML `|
<_,=^Kkm / / / / ///H|wnWWdMKKK#""-;. `"0\ |
`""QkmmmmmnWMMM\""WHMKKMM\ `--. \> \
hjm `""' `->>> ``WHMb,. `-_<@)
`"QMM`.
`>>>
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| o || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
Based on CHAOS CALMER (Bleeding Edge, r41992)
root@anonabox:~#
There you have it – root shell on an Anonabox without changing a single thing.
Can the Anonabox be made secure?
Well, yes and no. Some of the obvious mistakes made by Anonabox can be remedied and that will make it a better produce. But there’s still a fundamental problem in the fact that the source code is not available, so a back door could theoretically be hidden in a binary file somewhere (dropbear for example). It would be a far better approach to build an entirely new firmware.
Gallery
- Xxx cracked open
- Xxx board btm view
- Xxx board top view
- Ripping firmware out of the darn thing
Raw Dumps
For each file I have added some comments at the end.
Serial console – boot
U-Boot 1.1.4 (Jan 24 2015)
AP121 (AR9331) U-Boot
DRAM: 64 MB
FLASH: Winbond W25Q128 (16 MB)
Using default environment
In: serial
Out: serial
Err: serial
Net: ag7240_enet_initialize...
: cfg1 0x5 cfg2 0x7114
eth0: 0C:EF:AF:CA:14:82
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 0C:EF:AF:CA:14:82
athrs26_reg_init_lan
eth1 up
Press any key to stop autoboot, Autobooting in : 0
Booting image at: 0x9F020000
Image name: OpenWrt r43423
Image type: MIPS Linux Kernel Image (lzma compressed)
Data size: 1107428 Bytes = 1.1 MB
Load address: 0x80060000
Entry point: 0x80060000
Uncompressing kernel image... OK!
Starting kernel...
[ 0.000000] Linux version 3.14.18 ([email protected]) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43423) ) #4 Sat Nov 29 09:50:23 PHT 2014
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR9330 rev 1
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x03ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x03ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: board=OOLITE-BOX1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 61076K/65536K available (2379K kernel code, 119K rwdata, 500K rodata, 256K init, 187K bss, 4460K reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[ 0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[ 0.080000] pid_max: default: 32768 minimum: 301
[ 0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.100000] NET: Registered protocol family 16
[ 0.100000] MIPS: machine is Oolite Box V1
[ 0.560000] bio: create slab <bio-0> at 0
[ 0.570000] Switched to clocksource MIPS
[ 0.570000] NET: Registered protocol family 2
[ 0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.590000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.590000] TCP: reno registered
[ 0.600000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.610000] NET: Registered protocol family 1
[ 0.620000] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.650000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.660000] msgmni has been set to 119
[ 0.660000] io scheduler noop registered
[ 0.660000] io scheduler deadline registered (default)
[ 0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.680000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART
[ 0.680000] console [ttyATH0] enabled
[ 0.680000] console [ttyATH0] enabled
[ 0.690000] bootconsole [early0] disabled
[ 0.690000] bootconsole [early0] disabled
[ 0.700000] m25p80 spi0.0: found w25q128, expected m25p80
[ 0.710000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[ 0.710000] 5 tp-link partitions found on MTD device spi0.0
[ 0.720000] Creating 5 MTD partitions on "spi0.0":
[ 0.720000] 0x000000000000-0x000000020000 : "u-boot"
[ 0.730000] 0x000000020000-0x00000012e7e4 : "kernel"
[ 0.730000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[ 0.750000] 0x00000012e7e4-0x000000ff0000 : "rootfs"
[ 0.750000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[ 0.770000] mtd: device 2 (rootfs) set to be root filesystem
[ 0.770000] 1 squashfs-split partitions found on MTD device rootfs
[ 0.780000] 0x000000380000-0x000000ff0000 : "rootfs_data"
[ 0.790000] 0x000000ff0000-0x000001000000 : "art"
[ 0.790000] 0x000000020000-0x000000ff0000 : "firmware"
[ 0.810000] libphy: ag71xx_mdio: probed
[ 1.370000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch
[ 2.400000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[ 3.030000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[ 3.030000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[ 3.040000] TCP: cubic registered
[ 3.040000] NET: Registered protocol family 17
[ 3.050000] 8021q: 802.1Q VLAN Support v1.8
[ 3.060000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[ 3.070000] Freeing unused kernel memory: 256K (80350000 - 80390000)
procd: Console is alive
procd: - watchdog -
[ 5.730000] usbcore: registered new interface driver usbfs
[ 5.730000] usbcore: registered new interface driver hub
[ 5.740000] usbcore: registered new device driver usb
[ 5.750000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 5.750000] ehci-platform: EHCI generic platform driver
[ 5.760000] ehci-platform ehci-platform: EHCI Host Controller
[ 5.760000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[ 5.770000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[ 5.800000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[ 5.800000] hub 1-0:1.0: USB hub found
[ 5.800000] hub 1-0:1.0: 1 port detected
procd: - preinit -
md5sum: can't open '/lib/firmware/ath10k/QCA988X/hw2.0/firmware-3.bin': No such file or directory
[ 7.960000] random: mktemp urandom read with 63 bits of entropy available
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
jffs2 is ready
jffs2 is ready
[ 11.330000] jffs2: notice: (302) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 16 of xref (0 dead, 2 orphan) found.
switching to overlay
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[ 14.820000] NET: Registered protocol family 10
[ 14.830000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 14.890000] u32 classifier
[ 14.890000] input device check on
[ 14.890000] Actions configured
[ 14.920000] Mirror/redirect action on
[ 14.950000] nf_conntrack version 0.5.0 (958 buckets, 3832 max)
[ 14.970000] Loading modules backported from Linux version master-2014-11-04-0-gf3660a2
[ 14.980000] Backport generated by backports.git backports-20141023-2-g4ff890b
[ 15.000000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 15.190000] xt_time: kernel timezone is -0000
[ 15.250000] cfg80211: Calling CRDA to update world regulatory domain
[ 15.250000] cfg80211: World regulatory domain updated:
[ 15.260000] cfg80211: DFS Master region: unset
[ 15.260000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 15.270000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.280000] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.290000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.290000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.300000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[ 15.310000] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 15.320000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.330000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[ 15.430000] PPP generic driver version 2.4.2
[ 15.440000] NET: Registered protocol family 24
[ 15.570000] cfg80211: Calling CRDA for country: US
[ 15.590000] cfg80211: Regulatory domain changed to country: US
[ 15.590000] cfg80211: DFS Master region: FCC
[ 15.590000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 15.600000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[ 15.610000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A)
[ 15.620000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s)
[ 15.630000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[ 15.640000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[ 15.650000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[ 23.610000] random: nonblocking pool is initialized
[ 26.720000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 26.720000] device eth0 entered promiscuous mode
[ 26.740000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 26.800000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 26.820000] IPv6: ADDRCONF(NETDEV_UP): br-wifi: link is not ready
[ 29.140000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 29.160000] device wlan0 entered promiscuous mode
[ 29.200000] br-wifi: port 1(wlan0) entered forwarding state
[ 29.200000] br-wifi: port 1(wlan0) entered forwarding state
[ 29.210000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 29.230000] IPv6: ADDRCONF(NETDEV_CHANGE): br-wifi: link becomes ready
[ 29.240000] eth1: link up (100Mbps/Full duplex)
[ 29.240000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[ 31.200000] br-wifi: port 1(wlan0) entered forwarding state
procd: - init complete -
The main point of interest there is the fact that the kernel was build in China. In other words it is doubtful if Anonabox have been building their own OpenWrt from scratch.
Output of ‘dmesg’
[ 0.000000] Linux version 3.14.18 ([email protected]) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43423) ) #4 Sat Nov 29 09:50:23 PHT 2014
[ 0.000000] MyLoader: sysp=8198bab2, boardp=99edd07b, parts=3b02dafb
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR9330 rev 1
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x03ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x03ffffff]
[ 0.000000] On node 0 totalpages: 16384
[ 0.000000] free_area_init_node: node 0, pgdat 80338420, node_mem_map 81000000
[ 0.000000] Normal zone: 128 pages used for memmap
[ 0.000000] Normal zone: 0 pages reserved
[ 0.000000] Normal zone: 16384 pages, LIFO batch:3
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[ 0.000000] pcpu-alloc: [0] 0
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: board=OOLITE-BOX1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 61076K/65536K available (2379K kernel code, 119K rwdata, 500K rodata, 256K init, 187K bss, 4460K reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[ 0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[ 0.080000] pid_max: default: 32768 minimum: 301
[ 0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.100000] NET: Registered protocol family 16
[ 0.100000] MIPS: machine is Oolite Box V1
[ 0.560000] bio: create slab <bio-0> at 0
[ 0.570000] Switched to clocksource MIPS
[ 0.570000] NET: Registered protocol family 2
[ 0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.590000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.590000] TCP: reno registered
[ 0.600000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.610000] NET: Registered protocol family 1
[ 0.610000] PCI: CLS 0 bytes, default 32
[ 0.620000] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.650000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.660000] msgmni has been set to 119
[ 0.660000] io scheduler noop registered
[ 0.660000] io scheduler deadline registered (default)
[ 0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.680000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART
[ 0.680000] console [ttyATH0] enabled
[ 0.690000] bootconsole [early0] disabled
[ 0.700000] m25p80 spi0.0: found w25q128, expected m25p80
[ 0.710000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[ 0.710000] 5 tp-link partitions found on MTD device spi0.0
[ 0.720000] Creating 5 MTD partitions on "spi0.0":
[ 0.720000] 0x000000000000-0x000000020000 : "u-boot"
[ 0.730000] 0x000000020000-0x00000012e7e4 : "kernel"
[ 0.730000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[ 0.750000] 0x00000012e7e4-0x000000ff0000 : "rootfs"
[ 0.750000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[ 0.770000] mtd: device 2 (rootfs) set to be root filesystem
[ 0.770000] 1 squashfs-split partitions found on MTD device rootfs
[ 0.780000] 0x000000380000-0x000000ff0000 : "rootfs_data"
[ 0.790000] 0x000000ff0000-0x000001000000 : "art"
[ 0.790000] 0x000000020000-0x000000ff0000 : "firmware"
[ 0.810000] libphy: ag71xx_mdio: probed
[ 1.370000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch
[ 2.400000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[ 3.030000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[ 3.030000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[ 3.040000] TCP: cubic registered
[ 3.040000] NET: Registered protocol family 17
[ 3.050000] 8021q: 802.1Q VLAN Support v1.8
[ 3.060000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[ 3.070000] Freeing unused kernel memory: 256K (80350000 - 80390000)
[ 5.730000] usbcore: registered new interface driver usbfs
[ 5.730000] usbcore: registered new interface driver hub
[ 5.740000] usbcore: registered new device driver usb
[ 5.750000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 5.750000] ehci-platform: EHCI generic platform driver
[ 5.760000] ehci-platform ehci-platform: EHCI Host Controller
[ 5.760000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[ 5.770000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[ 5.800000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[ 5.800000] hub 1-0:1.0: USB hub found
[ 5.800000] hub 1-0:1.0: 1 port detected
[ 7.960000] random: mktemp urandom read with 65 bits of entropy available
[ 11.330000] jffs2: notice: (302) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 16 of xref (0 dead, 2 orphan) found.
[ 14.570000] NET: Registered protocol family 10
[ 14.800000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 14.840000] u32 classifier
[ 14.840000] input device check on
[ 14.850000] Actions configured
[ 14.860000] Mirror/redirect action on
[ 14.880000] nf_conntrack version 0.5.0 (958 buckets, 3832 max)
[ 14.890000] Loading modules backported from Linux version master-2014-11-04-0-gf3660a2
[ 14.900000] Backport generated by backports.git backports-20141023-2-g4ff890b
[ 14.930000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 15.120000] xt_time: kernel timezone is -0000
[ 15.160000] cfg80211: Calling CRDA to update world regulatory domain
[ 15.170000] cfg80211: World regulatory domain updated:
[ 15.170000] cfg80211: DFS Master region: unset
[ 15.170000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 15.180000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.190000] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.200000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.210000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.210000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[ 15.220000] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 15.230000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 15.240000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[ 15.340000] PPP generic driver version 2.4.2
[ 15.360000] NET: Registered protocol family 24
[ 15.440000] ath: EEPROM regdomain: 0x0
[ 15.440000] ath: EEPROM indicates default country code should be used
[ 15.440000] ath: doing EEPROM country->regdmn map search
[ 15.440000] ath: country maps to regdmn code: 0x3a
[ 15.440000] ath: Country alpha2 being used: US
[ 15.440000] ath: Regpair used: 0x3a
[ 15.450000] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 15.470000] cfg80211: Calling CRDA for country: US
[ 15.480000] cfg80211: Regulatory domain changed to country: US
[ 15.480000] cfg80211: DFS Master region: FCC
[ 15.480000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 15.490000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[ 15.500000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A)
[ 15.510000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s)
[ 15.520000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[ 15.530000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[ 15.540000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[ 22.800000] random: nonblocking pool is initialized
[ 26.700000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 26.700000] device eth0 entered promiscuous mode
[ 26.720000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 26.780000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 26.790000] IPv6: ADDRCONF(NETDEV_UP): br-wifi: link is not ready
[ 29.390000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 29.430000] device wlan0 entered promiscuous mode
[ 29.450000] br-wifi: port 1(wlan0) entered forwarding state
[ 29.450000] br-wifi: port 1(wlan0) entered forwarding state
[ 29.460000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 29.500000] IPv6: ADDRCONF(NETDEV_CHANGE): br-wifi: link becomes ready
[ 31.450000] br-wifi: port 1(wlan0) entered forwarding state
[ 62.430000] eth1: link up (100Mbps/Full duplex)
[ 62.430000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Output of ‘ps w’
root@anonabox:~# ps w
PID USER VSZ STAT COMMAND
1 root 1396 S /sbin/procd
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u2:0]
7 root 0 SW< [khelper]
8 root 0 SW [kworker/u2:1]
59 root 0 SW< [writeback]
62 root 0 SW< [bioset]
64 root 0 SW< [kblockd]
90 root 0 SW [kworker/0:1]
97 root 0 SW [kswapd0]
144 root 0 SW [fsnotify_mark]
160 root 0 SW [spi0]
241 root 0 SW< [deferwq]
252 root 0 SW [khubd]
303 root 0 SWN [jffs2_gcd_mtd3]
358 root 888 S /sbin/ubusd
359 root 1372 S /bin/ash --login
521 root 0 SW< [ipv6_addrconf]
625 root 0 SW< [cfg80211]
726 root 1040 S /sbin/logd -S 16
760 root 1548 S /sbin/netifd
784 root 1160 S /usr/sbin/odhcpd
833 root 1152 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 0 -K 300
1218 root 1584 S /usr/sbin/hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostapd-phy0.conf
1264 tor 18652 S /usr/sbin/tor --PidFile /var/run/tor.pid
1276 root 1520 S /usr/sbin/uhttpd -f -h /www -r anonabox -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -p 0.0
1404 nobody 928 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k
1550 root 1364 S /usr/sbin/ntpd -n -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.open
1599 root 0 SW [kworker/0:0]
1604 root 1360 R ps w
The ‘-p 0’ parameter to dropbear is curious. As far as I know, dropbear can’t bind to tcp port 0, and “normally” port 0 means pick a random available port. If they intend to stop the use of ssh, why not simply remove the package or disable it.
Content of /etc/config/dhcp
root@anonabox:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp
option start '100'
option leasetime '12h'
option limit '150'
option interface 'wifi'
Content of /etc/config/dropbear
root@anonabox:/etc/config# cat dropbear
config dropbear
option PasswordAuth 'on'
option Port '0'
There is that port 0 again. Odd.
Content of /etc/config/firewall
root@anonabox:/etc/config# cat firewall
config defaults
option syn_flood '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
That is pretty much OpenWrt default.
Content of /etc/config/luci
root@anonabox:/etc/config# cat luci
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/openwrt.org'
option resourcebase '/luci-static/resources'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
option Bootstrap '/luci-static/bootstrap'
Content of /etc/config/network
root@anonabox:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd5:429b:7cf6::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '126.16.1.1'
option _orig_ifname 'eth0 wlan0'
option _orig_bridge 'true'
option ifname 'eth0'
option delegate '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
config interface 'onions'
option proto 'static'
option ifname 'onions'
option ipaddr '10.192.0.1'
option netmask '255.192.0.0'
option delegate '0'
config interface 'wifi'
option proto 'static'
option ipaddr '126.16.2.1'
option netmask '255.255.255.0'
option type 'bridge'
option _orig_ifname 'wifi'
option _orig_bridge 'true'
option ifname 'wifi'
option delegate '0'
The choice of IP addresses is deeply weird. I think it might be some misguided attempt at security through obscurity, but well – since there’s a DHCP server running that happily hand out IP addresses to anybody within WiFi range it is not as if it is a big secret.
Content of /etc/config/qos
root@anonabox:/etc/config# cat qos
# QoS configuration for OpenWrt
# INTERFACES:
config interface wan
option classgroup "Default"
option enabled 0
option upload 128
option download 1024
# RULES:
config classify
option target "Priority"
option ports "22,53"
option comment "ssh, dns"
config classify
option target "Normal"
option proto "tcp"
option ports "20,21,25,80,110,443,993,995"
option comment "ftp, smtp, http(s), imap"
config classify
option target "Express"
option ports "5190"
option comment "AOL, iChat, ICQ"
config default
option target "Express"
option proto "udp"
option pktsize "-500"
config reclassify
option target "Priority"
option proto "icmp"
config default
option target "Bulk"
option portrange "1024-65535"
# Don't change the stuff below unless you
# really know what it means :)
config classgroup "Default"
option classes "Priority Express Normal Bulk"
option default "Normal"
config class "Priority"
option packetsize 400
option avgrate 10
option priority 20
config class "Priority_down"
option packetsize 1000
option avgrate 10
config class "Express"
option packetsize 1000
option avgrate 50
option priority 10
config class "Normal"
option packetsize 1500
option packetdelay 100
option avgrate 10
option priority 5
config class "Normal_down"
option avgrate 20
config class "Bulk"
option avgrate 1
option packetdelay 200
I don’t think this is used at all.
Content of /etc/config/system
root@anonabox:/etc/config# cat system
config system
option hostname 'anonabox'
option timezone 'UTC'
config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
option enabled '1'
option enable_server '0'
config led
option default '0'
option name '1'
option trigger 'netdev'
option mode 'tx rx'
option sysfs 'oolitebox:green:system'
option dev 'br-wifi'
Content of /etc/config/ucitrack
root@anonabox:/etc/config# cat ucitrack
config network
option init network
list affects dhcp
list affects radvd
config wireless
list affects network
config firewall
option init firewall
list affects luci-splash
list affects qos
list affects miniupnpd
config olsr
option init olsrd
config dhcp
option init dnsmasq
list affects odhcpd
config odhcpd
option init odhcpd
config dropbear
option init dropbear
config httpd
option init httpd
config fstab
option init fstab
config qos
option init qos
config system
option init led
list affects luci_statistics
config luci_splash
option init luci_splash
config upnpd
option init miniupnpd
config ntpclient
option init ntpclient
config samba
option init samba
config tinyproxy
option init tinyproxy
config 6relayd
option init 6relayd
Content of /etc/config/uhttpd
root@anonabox:/etc/config# cat uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'px5g'
option days '730'
option bits '1024'
option country 'DE'
option state 'Berlin'
option location 'Berlin'
option commonname 'OpenWrt'
How nice of them to bind to IPv6. That is actually not OpenWrt default if I remember correctly.
Content of /etc/config/wireless
root@anonabox:/etc/config# cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '7'
option hwmode '11g'
option path 'platform/ar933x_wmac'
option noscan '1'
option disabled '0'
option htmode 'HT20'
option txpower '30'
option country 'US'
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'none'
option network 'wifi'
option ssid 'anbx1424833770'
Oh dear. This is really where it gets ugly. Open WiFi – no encryption – no password – random ssid apparently – syntax error in the UCI configuration file.
Output of “uci show”
root@anonabox:/etc/config# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=0
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=0
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=100
dhcp.lan.limit=150
dhcp.lan.leasetime=12h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp=0
dhcp.odhcpd.leasefile=/tmp/hosts/odhcpd
dhcp.odhcpd.leasetrigger=/usr/sbin/odhcpd-update
dhcp.@dhcp[0]=dhcp
dhcp.@dhcp[0].start=100
dhcp.@dhcp[0].leasetime=12h
dhcp.@dhcp[0].limit=150
dhcp.@dhcp[0].interface=wifi
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Port=0
dropbear~.@dropbear[0]=dropbear
dropbear~.@dropbear[0].PasswordAuth=on
dropbear~.@dropbear[0].Port=22
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@defaults[0].input=ACCEPT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=ACCEPT
firewall.@zone[0].network=lan
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].network=wan wan6
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src=lan
firewall.@forwarding[0].dest=wan
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
luci.main=core
luci.main.lang=auto
luci.main.mediaurlbase=/luci-static/openwrt.org
luci.main.resourcebase=/luci-static/resources
luci.flash_keep=extern
luci.flash_keep.uci=/etc/config/
luci.flash_keep.dropbear=/etc/dropbear/
luci.flash_keep.openvpn=/etc/openvpn/
luci.flash_keep.passwd=/etc/passwd
luci.flash_keep.opkg=/etc/opkg.conf
luci.flash_keep.firewall=/etc/firewall.user
luci.flash_keep.uploads=/lib/uci/upload/
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath=/tmp/luci-sessions
luci.sauth.sessiontime=3600
luci.ccache=internal
luci.ccache.enable=1
luci.themes=internal
luci.themes.Bootstrap=/luci-static/bootstrap
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.globals=globals
network.globals.ula_prefix=fdd5:429b:7cf6::/48
network.lan=interface
network.lan.force_link=1
network.lan.type=bridge
network.lan.proto=static
network.lan.netmask=255.255.255.0
network.lan.ip6assign=60
network.lan.ipaddr=126.16.1.1
network.lan._orig_ifname=eth0 wlan0
network.lan._orig_bridge=true
network.lan.ifname=eth0
network.lan.delegate=0
network.wan=interface
network.wan.ifname=eth1
network.wan.proto=dhcp
network.wan.delegate=0
network.@switch[0]=switch
network.@switch[0].name=switch0
network.@switch[0].reset=1
network.@switch[0].enable_vlan=1
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device=switch0
network.@switch_vlan[0].vlan=1
network.@switch_vlan[0].ports=0 1 2 3 4
network.onions=interface
network.onions.proto=static
network.onions.ifname=onions
network.onions.ipaddr=10.192.0.1
network.onions.netmask=255.192.0.0
network.onions.delegate=0
network.wifi=interface
network.wifi.proto=static
network.wifi.ipaddr=126.16.2.1
network.wifi.netmask=255.255.255.0
network.wifi.type=bridge
network.wifi._orig_ifname=wifi
network.wifi._orig_bridge=true
network.wifi.ifname=wifi
network.wifi.delegate=0
qos.wan=interface
qos.wan.classgroup=Default
qos.wan.enabled=0
qos.wan.upload=128
qos.wan.download=1024
qos.@classify[0]=classify
qos.@classify[0].target=Priority
qos.@classify[0].ports=22,53
qos.@classify[0].comment=ssh, dns
qos.@classify[1]=classify
qos.@classify[1].target=Normal
qos.@classify[1].proto=tcp
qos.@classify[1].ports=20,21,25,80,110,443,993,995
qos.@classify[1].comment=ftp, smtp, http(s), imap
qos.@classify[2]=classify
qos.@classify[2].target=Express
qos.@classify[2].ports=5190
qos.@classify[2].comment=AOL, iChat, ICQ
qos.@default[0]=default
qos.@default[0].target=Express
qos.@default[0].proto=udp
qos.@default[0].pktsize=-500
qos.@reclassify[0]=reclassify
qos.@reclassify[0].target=Priority
qos.@reclassify[0].proto=icmp
qos.@default[1]=default
qos.@default[1].target=Bulk
qos.@default[1].portrange=1024-65535
qos.Default=classgroup
qos.Default.classes=Priority Express Normal Bulk
qos.Default.default=Normal
qos.Priority=class
qos.Priority.packetsize=400
qos.Priority.avgrate=10
qos.Priority.priority=20
qos.Priority_down=class
qos.Priority_down.packetsize=1000
qos.Priority_down.avgrate=10
qos.Express=class
qos.Express.packetsize=1000
qos.Express.avgrate=50
qos.Express.priority=10
qos.Normal=class
qos.Normal.packetsize=1500
qos.Normal.packetdelay=100
qos.Normal.avgrate=10
qos.Normal.priority=5
qos.Normal_down=class
qos.Normal_down.avgrate=20
qos.Bulk=class
qos.Bulk.avgrate=1
qos.Bulk.packetdelay=200
Notice the “wireless” section is not included, probably because of the syntax error mentioned earlier.
Content of /etc/rc.d/S49ssid
root@anonabox:/overlay/etc/rc.d# cat S49ssid
#!/bin/sh
#echo "date;"
#/bin/date
#echo "date"
rm -rf /tmp/hash.txt
rm -rf /tmp/hash0.txt
rm -rf /tmp/hash1.txt
rm -rf /tmp/hash2.txt
rm -rf /tmp/wifitmp.txt
echo "anbx" >> /tmp/hash.txt
/bin/date +"%s" >> /tmp/hash.txt
echo "option ssid '" >> /tmp/hash0.txt
/bin/sed -n -e ":a" -e "$ s/\n/,/gp;N;b a" /tmp/hash.txt >> /tmp/hash0.txt
echo "'" >> /tmp/hash0.txt
/bin/sed -n -e ":a" -e "$ s/\n/,/gp;N;b a" /tmp/hash0.txt >> /tmp/hash1.txt
/bin/sed -e 's/,//g' /tmp/hash1.txt >> /tmp/hash2.txt
echo "#" >> /tmp/wifitmp.txt
/bin/sed '/option_ssid/d' /etc/config/wireless >> /tmp/wifitmp.txt
#/bin/date +"$s" >> /tmp/hash!txt
rm -rf /etc/config/wireless
#echo "#" >> /etc/config/wireless
#cat /tmp/wifitmp.txt >> /etc/config/wireless
cp -rf /etc/config/scripts/wireless /etc/config/wireless
cat /tmp/hash2.txt >> /etc/config/wireless
I am not sure what to say about this one. It is – by far – one the ugliest pieces of shell script I have ever seen – and I have seen a lot.
On their web site, Anonabox claim that they have developed 5,201,567 lines of code. In all seriousness the above is the ONLY lines of code I found in Anonabox that actually appear to have been developed by them. The rest is standard OpenWrt. So excluding the comments:
root@anonabox:/# cat /etc/rc.d/S49ssid | grep -v "^#" | wc -l
20
In other words, Anonabox wrote 20 lines of code, not 5201567.
Apart from being almost unbelievably clumsy, this piece of shell script illustrates a fundamental lack of knowledge of the inner workings of OpenWrt, a fundamental lack of knowledge of UNIX and shell scripting (but some love affair with ‘sed’). An update such as this should be done through uci not by editing the config file directly!
And those 20 lines of code could have been handled elegantly like:
#!/bin/sh
uci set wireless.@wifi-iface[0].ssid=anon`/bin/date +"%s"` && uci commit
One line – ONE! And that wouldn’t result in a syntax error in the configuration file.
Also I really don’t get the point of it. Why force a new ssid on the – otherwise open – WiFi on each boot. How annoying would that be in daily use?
Content of /etc/passwd
root@anonabox:/overlay/etc/rc.d# cat /etc/passwd
root:x:0:0:root:/root:/bin/false
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
tor:x:52:52:/var/lib/tor:/var/run/tor:/bin/false
Content of /etc/shadow
root@anonabox:/overlay/etc/rc.d# cat /etc/shadow
root:$1$u3ww8XNt$VSQBuEJUw70rDy3jh0JeO0:16403:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
tor:x:0:0:99999:7:::
Oh dear – hard coded root password that is completely undocumented and under normal circumstances impossible for the end-user to change. And it is: “admin”. What on earth possessed them?
Output of ‘netstat -a’
root@anonabox:~# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:58990 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:www 0.0.0.0:* LISTEN
tcp 0 0 126.16.2.1:9040 0.0.0.0:* LISTEN
tcp 0 0 anonabox.lan:9040 0.0.0.0:* LISTEN
tcp 0 0 localhost:9040 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN
tcp 0 0 localhost:9050 0.0.0.0:* LISTEN
tcp 0 0 :::www :::* LISTEN
tcp 0 0 :::domain :::* LISTEN
tcp 0 0 :::58168 :::* LISTEN
udp 0 0 0.0.0.0:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 126.16.2.1:9053 0.0.0.0:*
udp 0 0 anonabox.lan:9053 0.0.0.0:*
udp 0 0 localhost:9053 0.0.0.0:*
udp 0 0 0.0.0.0:5300 0.0.0.0:*
udp 0 0 :::domain :::*
raw 0 0 :::58 ::%4429580:* 58
raw 0 0 :::58 ::%4429580:* 58
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 6 [ ] DGRAM 1037 /dev/log
unix 2 [ ] DGRAM 1991 /var/run/hostapd/wlan0
unix 2 [ ACC ] STREAM LISTENING 232 /var/run/ubus.sock
unix 2 [ ] DGRAM 1781
unix 3 [ ] STREAM CONNECTED 2134
unix 3 [ ] STREAM CONNECTED 1039
unix 2 [ ] DGRAM 1550
unix 3 [ ] STREAM CONNECTED 2133
unix 3 [ ] STREAM CONNECTED 2166
unix 3 [ ] STREAM CONNECTED 1137
unix 3 [ ] STREAM CONNECTED 235 /var/run/ubus.sock
unix 3 [ ] STREAM CONNECTED 1993
unix 3 [ ] STREAM CONNECTED 2167 /var/run/ubus.sock
unix 3 [ ] STREAM CONNECTED 234
unix 2 [ ] DGRAM 2375
unix 2 [ ] DGRAM 1330
unix 3 [ ] STREAM CONNECTED 1138 /var/run/ubus.sock
unix 3 [ ] STREAM CONNECTED 1095
unix 3 [ ] STREAM CONNECTED 1994 /var/run/ubus.sock
unix 2 [ ] DGRAM 1553
unix 3 [ ] STREAM CONNECTED 1096 /var/run/ubus.sock
unix 3 [ ] STREAM CONNECTED 1040 /var/run/ubus.sock
Notice – listening on port 80 for IPv4 + IPv6 and here is the killer – what is that thing listening on port 58168. That is my friends – dropbear! In other words it is possible to SSH to that port using root/admin to login.
Content of /etc/firewall.user
root@anonabox:/etc/dropbear# cat /etc/firewall.user
# everything else LAN goes over tor
iptables -t nat -A PREROUTING -i br-lan -p tcp --syn -j REDIRECT --to-ports 9040
# udp traffic for LAN DNS (port 53) is sent to tor 9053
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-ports 9053
# everything else wifi goes over tor
iptables -t nat -A PREROUTING -i br-wifi -p tcp --syn -j REDIRECT --to-ports 9040
# udp traffic for wifi DNS (port 53) is sent to tor 9053
iptables -t nat -A PREROUTING -i br-wifi -p udp --dport 53 -j REDIRECT --to-ports 9053
# resolve the .onion hidden services
#iptables -A INPUT -p tcp --dport 9040 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 192.168.8.0/10 -j REDIRECT --to-port 9040
#iptables -t nat -A OUTPUT -p tcp -d 192.168.8.0/10 -j REDIRECT --to-port 9040
# security rules from https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
#iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
#iptables -A OUTPUT -m state --state INVALID -j DROP
# security rules to prevent kernel leaks from link above
#iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
#iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
Content of /etc/tor/torrc
root@anonabox:~# cat /etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 127.0.0.1
TransListenAddress 126.16.1.1
TransListenAddress 126.16.2.1
DNSPort 9053
DNSListenAddress 127.0.0.1
DNSListenAddress 0.0.0.0:5300
DNSListenAddress 126.16.1.1
DNSListenAddress 126.16.2.1
## Configuration file for a typical Tor user
## Last updated 12 September 2012 for Tor 0.2.4.3-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.
##
## Tor will look for this file in various places based on your platform:
## https://www.torproject.org/docs/faq#torrc
## Tor opens a socks proxy on port 9050 by default -- even if you don't
## configure one below. Set "SocksPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
#SocksPort 192.168.0.1:9100 # Bind to this address:port too.
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
#SocksPolicy accept 192.168.0.0/16
#SocksPolicy reject *
## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
RunAsDaemon 1
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1
############### This section is just for location-hidden services ###
## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22
################ This section is just for relays #####################
#
## See https://www.torproject.org/docs/tor-doc-relay for details.
## Required: what port to advertise for incoming Tor connections.
#ORPort 9001
## If you want to listen on a port other than the one advertised in
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
## follows. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORPort 443 NoListen
#ORPort 127.0.0.1:9090 NoAdvertise
## The IP address or full DNS name for incoming connections to your
## relay. Leave commented out and Tor will guess.
#Address noname.example.com
## If you have multiple network interfaces, you can specify one for
## outgoing traffic to use.
# OutboundBindAddress 10.0.0.5
## A handle for your relay, so people don't have to refer to it by key.
#Nickname ididnteditheconfig
## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
#RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "4 GB" may allow up to 8 GB total before
## hibernating.
##
## Set a maximum of 4 gigabytes each way per period.
#AccountingMax 4 GB
## Each period starts daily at midnight (AccountingMax is per day)
#AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
#AccountingStart month 3 15:00
## Contact info to be published in the directory, so we can contact you
## if your relay is misconfigured or something else goes wrong. Google
## indexes this, so spammers might also collect it.
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised in
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
## follows. below too. You'll need to do ipchains or other port
## forwarding yourself to make this work.
#DirPort 80 NoListen
#DirPort 127.0.0.1:9091 NoAdvertise
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
## can explain what Tor is if anybody wonders why your IP address is
## contacting them. See contrib/tor-exit-notice.html in Tor's source
## distribution for a sample.
#DirPortFrontPage /etc/tor/tor-exit-notice.html
## Uncomment this if you run more than one Tor relay, and add the identity
## key fingerprint of each Tor relay you control, even if they're on
## different networks. You declare it here so Tor clients can avoid
## using more than one of your relays in a single circuit. See
## https://www.torproject.org/docs/faq#MultipleRelays
## However, you should never include a bridge's fingerprint here, as it would
## break its concealability and potentionally reveal its IP/TCP address.
#MyFamily $keyid,$keyid,...
## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to _replace_
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## described in the man page or at
## https://www.torproject.org/documentation.html
##
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
## networks, including to your public IP address. See the man page entry
## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even an
## ISP that filters connections to all the known Tor relays probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
## be a real relay, please do; but if not, be a bridge!
#BridgeRelay 1
## By default, Tor will advertise your bridge to users through various
## mechanisms like https://bridges.torproject.org/. If you want to run
## a private bridge, for example because you'll give out your bridge
## address manually to your friends, uncomment this line:
#PublishServerDescriptor 0
User tor
Firmware Archive
If any readers feel inclined to dig deeper into this, I have made an archive with files I have ripped out from the serial console.
I put the files on Github: