Re: [tor-relays] Debian relay Puppet module
On 16. Juni 2014 at 08:56:20, Alexander Fortin (alexander.for...@gmail.com) wrote: On Mon, Jun 16, 2014 at 4:40 AM, Moritz Bartl wrote: You should never rely on short key IDs for anything. They can be forged within minutes. When you look at https://www.torproject.org/docs/debian.html.en , it fetches the key using the short key ID, but only imports a key that matches the whole fingerprint. Ok Done. There's a bug on the latest version of puppetlabs/apt (1.5.0) that’s currently limiting the key name to 8 or 16 digits: https://github.com/puppetlabs/puppetlabs-apt/pull/314 so I’m currently forcing the dependency to version 1.4.2 I've also added missing LICENSE and Modulefile files (for automatic dependency resolution via librarian-puppet or similar). I’m going to add the missing RSpec files in the next days. I found keys.gnupg.net to be unreliable sometimes, it would be good to have some fallback options. Maybe add this fallback options to https://www.torproject.org/docs/debian.html.en too? I also checked the latest version of the apt module but unfortunately there’s no default mechanism to fall back in case of a non responsive default GPG server. Anyway, the worst case scenario is that Puppet agent will fail because of the timeout (i.e. not installing anything until the key is fetched), so security should not be compromised. Latest version: https://github.com/shaftoe/puppet-tor/tree/fixes -- Alexander Fortin http://about.me/alexanderfortin ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Operating system diversity?
Hi All, In the recent thread relating to Debian relay Puppet modules it was suggested that a greater diversity of operating systems in tor nodes wooudl be preferable. I'm not sure if this was meant as a technical or aesthetic preference, but I am curious. Is there any technical benefit to rounning a more diverse set of opensource oprating systems for tor nodes? I discount closed source as we don't know what's going on in there. Would that present significantly different attack surfaces? I can imagine a vulnerability in the TCP stack or other kernel functionality in Linux would not be the saem in FreeBSD or vice versa... My nodes are currently Ubuntu but if there's a reason to do so I coould possibly switch OS to FreeBSD (or hurd does tor run on hurd :)) -Jon ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operating system diversity?
On 17. Juni 2014 at 17:26:42, Jonathan D. Proulx (j...@csail.mit.edu) wrote: I'm not sure if this was meant as a technical or aesthetic preference, but I am curious. Is there any technical benefit to rounning a more diverse set of opensource oprating systems for tor nodes? I discount closed source as we don't know what's going on in there. Hi Jonathan, in the mentioned thread I agreed with the suggestion because I have always supposed that the more platforms and operating systems are supported, the easier it is to adopt the given technology. In my case, I was already running a Debian server and I thought it was a good idea to share some of its resources with the Tor community, and it was *very* easy. I guess there are others in my same situation (i.e. wanting to run a relay) but maybe running a different OS / distribution, and they give up because they don’t want or they can’t invest time in spinning up a new server just for that, or similar scenarios. By the way, I’m also curious to hear about technical and security implications -- Alexander Fortin http://about.me/alexanderfortin ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] tor-arm question
Hi, Just started a new tor relay on my raspberry pi yesterday and I'm monitoring with tor-arm over ssh. I'm currently listed on atlas.torproject.org with flags 'Fast', 'Running', 'V2Dir', and 'Valid' with 17hrs uptime. However, tor-arm is showing a blank for uptime and about once a minute, the CLI goes blank and then flickers back. (the flickering happens at the same rate for local and remote SSH) Also, about once every couple hours I get a 'Relay unresponsive' and then 10 seconds later 'Relay resumed'. Anything to do to remedy these issues? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operating system diversity?
On Tue, Jun 17, 2014 at 10:38 AM, Jonathan D. Proulx j...@csail.mit.edu wrote: I'm not sure if this was meant as a technical or aesthetic preference, but I am curious. Is there any technical benefit to rounning a more diverse set of opensource oprating systems for tor nodes? I discount closed source as we don't know what's going on in there. Would that present significantly different attack surfaces? I can imagine a vulnerability in the TCP stack or other kernel functionality in Linux would not be the saem in FreeBSD or vice versa... My nodes are currently Ubuntu but if there's a reason to do so I coould possibly switch OS to FreeBSD (or hurd does tor run on hurd :)) These surface differences result in real world immunities. If all you're running is one thing, and that one thing gets cracked, it's over. This happens all the time. And it's not just the kernel, it's also the differences in libraries, etc. So yes, for that purpose regarding the Tor network, don't pick Linux or Windows. If you want to play and learn something new and not closed source, pick one of the BSD's... free, open, dfly, net. FreeBSD is the obvious general choice, the others will subject you to more specific challenges. 4796 Linux 1650 Windows 294 FreeBSD 75 Darwin 35 OpenBSD 9 NetBSD 4 Bitrig 2 SunOS 2 GNU/kFreeBSD 2 DragonFly ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] tor-arm question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Had the same issues on my pi when running over ssh. It simply is the fact, that your pi is running almost on max load. Type top in your console, and watch the pi working :) On 17. Juni 2014 19:28:23 MESZ, Adam Griffin adgri...@gmail.com wrote: Hi, Just started a new tor relay on my raspberry pi yesterday and I'm monitoring with tor-arm over ssh. I'm currently listed on atlas.torproject.org with flags 'Fast', 'Running', 'V2Dir', and 'Valid' with 17hrs uptime. However, tor-arm is showing a blank for uptime and about once a minute, the CLI goes blank and then flickers back. (the flickering happens at the same rate for local and remote SSH) Also, about once every couple hours I get a 'Relay unresponsive' and then 10 seconds later 'Relay resumed'. Anything to do to remedy these issues? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays - -- We don't bubble you, we don't spoof you ;) Keep your data encrypted! Log you soon, your Admin elri...@elrippoisland.net Encrypted messages are welcome. 0x84DF1F7E6AE03644 - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.11 (GNU/Linux) mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+ B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5 Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R 9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9 jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z +rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7 uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/ axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU 1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt 7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5 KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv 5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs 9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj 1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU 3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr 9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN /VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ 6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8 6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL u9ThgrH6Oc2k46n+9nc3joccr7miiX/bp976DNWcWdOYThiSSOCb8Zw9/Zs935i1 wUVkYTj24tmBH4H5ov9ib7RPmU21ru458RbUKG0ONAqBtAHNyXHzUnXsrke+D4VW MI06YcXSk8YeYgQ8GxgHQc+W2bb8LIbKN1hEYJ0wzM62vKR2/Oiwuf8lXutIKTuz +v7Vj1PQd66DGHsxtWRaWnr1c54JTL2wICHJYKFH4grp7864+GL/uQ1O/Z/XxVku E1JQ/AnwBGU1M1S6otwWGWVRjzEzQtxsfcCEPvV/9td3FIFQAbGTPb+48XFU+TY9 8AlcXBlDzXq7c5f8Evn/oSIsZDt63K4HNTmMGqOTl/p1aA0e4eyX76LczY06rDP5
Re: [tor-relays] tor-arm question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Yes, especially when hitting Enter after sudo -u debian-tor arm Then it took a few seconds and the relay resumed. It never seemed to have these problems when running on it's own, so I think this is just due to the limited resources of the pi On 17. Juni 2014 20:13:44 MESZ, Adam Griffin adgri...@gmail.com wrote: Running top in a separate SSH session shows ~50% load average. I imagine spikes would cause the CLI interruptions and maybe relay unresponsive/resumed notices. Did you have the same blank uptime issue? On Tue, Jun 17, 2014 at 2:08 PM, Elrippo elri...@elrippoisland.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Had the same issues on my pi when running over ssh. It simply is the fact, that your pi is running almost on max load. Type top in your console, and watch the pi working :) On 17. Juni 2014 19:28:23 MESZ, Adam Griffin adgri...@gmail.com wrote: Hi, Just started a new tor relay on my raspberry pi yesterday and I'm monitoring with tor-arm over ssh. I'm currently listed on atlas.torproject.org with flags 'Fast', 'Running', 'V2Dir', and 'Valid' with 17hrs uptime. However, tor-arm is showing a blank for uptime and about once a minute, the CLI goes blank and then flickers back. (the flickering happens at the same rate for local and remote SSH) Also, about once every couple hours I get a 'Relay unresponsive' and then 10 seconds later 'Relay resumed'. Anything to do to remedy these issues? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays - -- We don't bubble you, we don't spoof you ;) Keep your data encrypted! Log you soon, your Admin elri...@elrippoisland.net Encrypted messages are welcome. 0x84DF1F7E6AE03644 - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.11 (GNU/Linux) mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+ B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5 Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R 9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9 jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z +rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7 uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/ axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU 1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt 7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5 KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv 5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs 9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj 1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU 3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr
Re: [tor-relays] tor-arm question
Running top in a separate SSH session shows ~50% load average. I imagine spikes would cause the CLI interruptions and maybe relay unresponsive/resumed notices. Did you have the same blank uptime issue? On Tue, Jun 17, 2014 at 2:08 PM, Elrippo elri...@elrippoisland.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Had the same issues on my pi when running over ssh. It simply is the fact, that your pi is running almost on max load. Type top in your console, and watch the pi working :) On 17. Juni 2014 19:28:23 MESZ, Adam Griffin adgri...@gmail.com wrote: Hi, Just started a new tor relay on my raspberry pi yesterday and I'm monitoring with tor-arm over ssh. I'm currently listed on atlas.torproject.org with flags 'Fast', 'Running', 'V2Dir', and 'Valid' with 17hrs uptime. However, tor-arm is showing a blank for uptime and about once a minute, the CLI goes blank and then flickers back. (the flickering happens at the same rate for local and remote SSH) Also, about once every couple hours I get a 'Relay unresponsive' and then 10 seconds later 'Relay resumed'. Anything to do to remedy these issues? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays - -- We don't bubble you, we don't spoof you ;) Keep your data encrypted! Log you soon, your Admin elri...@elrippoisland.net Encrypted messages are welcome. 0x84DF1F7E6AE03644 - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.11 (GNU/Linux) mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+ B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5 Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R 9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9 jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z +rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7 uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/ axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU 1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt 7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5 KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv 5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs 9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj 1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU 3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr 9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN /VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ 6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8 6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL
Re: [tor-relays] Debian relay Puppet module
On 06/17/2014 02:49 AM, Alex Jordan wrote: In my dream world, it would not only support Debian: Right now, most of the Tor network runs on Debian, which is not ideal. We need more *BSD and Solaris! And FreeDOS! :) Why is this not ideal? I'm not following. Also, do you mean Debian or Debian-like? If the latter, Tor Cloud (Ubuntu) probably accounts for a fair bit of that inbalance. If there's a problem with one implementation, an attacker can easily take over the parts that are based on that implementation. Diversity of relay operation systems helps against single points of failure (like the Debian OpenSSL issue, or even the 1.x Heartbleed). -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Debian relay Puppet module
On Sun, Jun 15, 2014 at 7:31 AM, Alexander Fortin
alexander.for...@gmail.com wrote:
I’ve recently joined the Tor Project and I have been running a non exit relay
for a few days.
I’m also a Puppet user and, more in general, I try to make deploying
applications
on the servers I administer as easy as possibile, Tor included.
I think Tor documentation to install on a Debian server is quite good, but I
still prefer to
have Puppet doing that for me, and I’m quite sure every Puppet user out there
would think
the same.
Hey, thanks for doing this! I have kinda wanted to put something
similar together for a while but haven't had the time. Here are some
thoughts, in no particular order:
Why do you disable directory mirroring? It's my understanding that
this should basically always be on.
It would be nice if exit-relay mode enabled an HTTP exit notice as
described at
https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment.
Tor relays get pounded on by the script kiddies -- a degree of
hardening is appropriate. I don't know if there are any stock Puppet
tighten security modules but these are the things that I remember
having done to mine. Note that my relays serve no other traffic and
have no non-root user accounts; some of these configuration choices
may be inappropriate for multi-use machines.
- install fail2ban and ufw; firewall incoming traffic to ports other
than 9001, 9030, and 22 (ssh) (I don't think the marginal benefit of
moving ssh to a nonstandard port is worth the hassle).
- sshd_config configuration tuning: beware that this will lock out
any user account with no SSH authorized_keys!
Protocol 2
UsePrivilegeSeparation yes
PermitRootLogin without-password
PasswordAuthentication no
ChallengeResponseAuthenticatio
n no
HostbasedAuthentication no
IgnoreRhosts yes
StrictModes yes
X11Forwarding no
Ciphers
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
- install logcheck and nullmailer; set /etc/nullmailer/adminaddr and
/etc/nullmailer/remotes to values assigned in Puppet configuration;
symlink /etc/nullmailer/helohost to /etc/hostname. (ufw and sshd will
emit a great deal of chatter due to people knocking on the machine. I
have custom ignore.d.server files to shut them up - basically I've set
it to mail me only on *successful* logins. Let me know if you want
'em.)
- install unattended-upgrades and configure it to auto-upgrade
everything. Unfortunately, the unattended-upgrades documentation is
at pains to avoid explaining how to do that; this is what I have in
/etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Origins-Pattern {
o=Debian,a=stable;
o=Debian,a=stable-updates;
o=TorProject,a=stable;
};
Unattended-Upgrade::Remove-Unused-Dependencies true;
Unattended-Upgrade::Automatic-Reboot true;
Unattended-Upgrade::Mail root
Unattended-Upgrade::MailOnlyOnError true;
- I'd *like* to recommend pulling libssl from testing, but right now
that also means upgrading libc, which seems unwise.
- I'd also like to recommend a kernel enhanced-security module, but I
was unable to get SELinux to the point where I could turn enforcement
on without breaking boot (and when I finally gave up and purged it,
the relay I was testing that on sped up by 15%!), AppArmor seems too
half-assed to actually be worth it, and Debian doesn't have grsec
kernel packages.
zw
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Advertised Bandwidth increasing
Hi I'm running the new, imaginatively-nicknamed kingqueenbtnftw relay. I have read around a lot but something I don't get. I thought advertised bandwidth was what I'd put in torrc whereas consensus weight was what some uber-machines tested my relay at, with the idea that this can foil disruption attacks by false relays pretending to give high bandwidth. SO I expected consensus weight to gradually increase. What I didn't expect was for the advertised bandwidth to increase by step changes (as shown on atlas and globe). Evidently I've got something wrong. Could somebody please enlighten this poor nub? By the way, I appreciate that consensus weight is a dimensions number but I understand that it originated as being based on kibibytes per second? If this is still the case, it's currently significantly more than my advertised bandwidth (which is less than that set in TORRC) but appears below it in the graphs? Thanks to anyone who educates me. I have full intent on both the T-shirts on offer - the standard Tor one for uptime and bandwidth, and the EFF one for still being online in a year with over 1MBps transfer :-) Hi to all who know me Kingqueen -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Debian relay Puppet module
THANK YOU That is clear and consise and well needed. Robert ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operating system diversity?
On 14-06-17 01:51 PM, grarpamp wrote: On Tue, Jun 17, 2014 at 10:38 AM, Jonathan D. Proulx j...@csail.mit.edu wrote: I'm not sure if this was meant as a technical or aesthetic preference, but I am curious. Is there any technical benefit to rounning a more diverse set of opensource oprating systems for tor nodes? I discount closed source as we don't know what's going on in there. Would that present significantly different attack surfaces? I can imagine a vulnerability in the TCP stack or other kernel functionality in Linux would not be the saem in FreeBSD or vice versa... My nodes are currently Ubuntu but if there's a reason to do so I coould possibly switch OS to FreeBSD (or hurd does tor run on hurd :)) These surface differences result in real world immunities. If all you're running is one thing, and that one thing gets cracked, it's over. This happens all the time. And it's not just the kernel, it's also the differences in libraries, etc. So yes, for that purpose regarding the Tor network, don't pick Linux or Windows. If you want to play and learn something new and not closed source, pick one of the BSD's... Free, open, dfly, net. FreeBSD is the obvious general choice, the others will subject you to more specific challenges. 4796 Linux 1650 Windows 294 FreeBSD 75 Darwin 35 OpenBSD 9 NetBSD 4 Bitrig 2 SunOS 2 GNU/kFreeBSD 2 DragonFly Within the (GNU/)Linux category there are significant differences among the distros. One obvious example is they dont all ship with the same OpenSSL version. Something as simple as enabling and configuring the firewall (or adding a firewall layer like a router) can set your relay apart from most of the default installs out there. Compiling Tor or the kernel or libevent, for example, with different versions of the compiler or custom options can give different behaviour to attacks. My point being, if you dont know an operating system well, it may not be safer to put a relay on it. Perhaps better to maintain an O/S you know well, study its security properties, and use customizations to give it a different attack surface. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Advertised Bandwidth increasing
Hello Jodie, Ah right, thank you, so advertised bandwidth and consensus weight are both essentially other computers' assessment of the game relay's throughput, though different computers and in different ways. Thanks -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
