7

I'm trying to connect to control port (9051) of tor from a remote machine using stem python library.

dum.py

from stem import Signal
from stem.control import Controller


def set_new_ip():
    """Change IP using TOR"""
    with Controller.from_port(address = '10.130.8.169', port=9051) as controller:
        controller.authenticate(password='password')
            controller.signal(Signal.NEWNYM)
set_new_ip()

I'm getting the following error

Traceback (most recent call last):
  File "/home/jkl/anaconda3/lib/python3.5/site-packages/stem/socket.py", line 398, in _make_socket
    control_socket.connect((self._control_addr, self._control_port))
ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "dum.py", line 28, in <module>
    set_new_ip();
  File "dum.py", line 7, in set_new_ip
    with Controller.from_port(address = '10.130.4.162', port=9051) as controller:
  File "/home/jkl/anaconda3/lib/python3.5/site-packages/stem/control.py", line 998, in from_port
    control_port = stem.socket.ControlPort(address, port)
  File "/home/jkl/anaconda3/lib/python3.5/site-packages/stem/socket.py", line 372, in __init__
    self.connect()
  File "/home/jkl/anaconda3/lib/python3.5/site-packages/stem/socket.py", line 243, in connect
    self._socket = self._make_socket()
  File "/home/jkl/anaconda3/lib/python3.5/site-packages/stem/socket.py", line 401, in _make_socket
    raise stem.SocketError(exc)
stem.SocketError: [Errno 111] Connection refused

Then I went through /etc/tor/torrc config file. It says

The port on which Tor will listen for local connections from Tor controller applications, as documented in control-spec.txt.

   ControlPort 9051
    ## If you enable the controlport, be sure to enable one of these
    ## authentication methods, to prevent attackers from accessing it.
    HashedControlPassword 16:E5364A963AF943CB607CFDAE3A49767F2F8031328D220CDDD1AE30A471
    SocksListenAddress 0.0.0.0:9050
    CookieAuthentication 1

My question is , How do I connect to control port of Tor from a remote host?
Is there is any work around or config parameter that I need to set?

a possible duplicate of Stem is giving the "Unable to connect to port 9051" error which has no answers

jaggi
  • 357
  • 1
  • 4
  • 17

2 Answers2

6

Tested with Tor 0.3.3.7.

ControlListenAddress config is OBSOLETE and Tor will ignore it and log the following message

[warn] Skipping obsolete configuration option 'ControlListenAddress'

You can still set ControlPort to 0.0.0.0:9051 in your torrc file. Though, Tor is not very happy about it (and rightly so) and will warn you

You have a ControlPort set to accept connections from a non-local address. This means that programs not running on your computer can reconfigure your Tor. That's pretty bad, since the controller protocol isn't encrypted! Maybe you should just listen on 127.0.0.1 and use a tool like stunnel or ssh to encrypt remote connections to your control port.

Also, you have to set either CookieAuthentication or HashedControlPassword otherwise ControlPort will be closed

You have a ControlPort set to accept unauthenticated connections from a non-local address. This means that programs not running on your computer can reconfigure your Tor, without even having to guess a password. That's so bad that I'm closing your ControlPort for you. If you need to control your Tor remotely, try enabling authentication and using a tool like stunnel or ssh to encrypt remote access.

All the risks mentioned in @drew010's answer still stand.

Dušan Maďar
  • 9,269
  • 5
  • 49
  • 64
5

You'd need to set ControlListenAddress in addition to the ControlPort. You could set that to to 0.0.0.0 (binds to all addresses) or a specific IP your server listens on.

If you choose to do this it would be extremely advisable to configure your firewall to only allow control connections from specific IP's and block them from all others.

Also note, the control port traffic will not be encrypted, so it'd also be advisable to use cookie authentication so your password isn't sent over the net.

You could also run a hidden service to expose the control port over Tor and then connect to the hidden service using Stem and Tor.

But the general answer is ControlListenAddress needs to be set to bind to an IP other than 127.0.0.1 (localhost).

drew010
  • 68,777
  • 11
  • 134
  • 162
  • Thanks. This is exactly what I needed. They(tor project) should probably put this in man page or commented torrc config file. – jaggi Aug 27 '17 at 06:03
  • @jaggi They don't put it in the config example because this is a bad idea, but I linked to the man page for this option, so it's published. You could also use Klaus D's suggestion of an SSH tunnel, in this case, you'd specify the server IP and tunnel port. You'd need to establish the tunnel from the client machine and have SSH access, preferably using SSH keys. – drew010 Aug 27 '17 at 06:04
  • 1
    Here's the command you can use to set up the SSH tunnel from the Tor control client's side (if SSH is an option). `ssh -p 22 user@10.130.8.169 -L 15090:127.0.0.1:9051 -N` Then, have Stem connect to `127.0.0.1:15090` for the control connection. It will be tunneled securely over SSH. Seems like since the IP is 10.0.0.0/8 you may be on a private net so this may not be needed. – drew010 Aug 27 '17 at 06:17
  • Yes, I'm in a private network behind a firewall. I didn't know about ssh soln. Thanks for the detailed explaination – jaggi Aug 27 '17 at 13:04
  • 1
    FYI `ControlListenAddress` is no longer mentioned in the linked manual page. It is mentioned in https://people.torproject.org/~sysrqb/webwml/docs/tor-manual.html.en; though, with the following warning: `We strongly recommend that you leave this alone unless you know what you’re doing, since giving attackers access to your control listener is really dangerous.`. – Dušan Maďar Feb 23 '19 at 21:54