Re: [tor-relays] how to monitor traffick through a bridge
Thank you very much for all the precious advice.
I am running tor on linux.
I second the suggestion of applying 'iptables'
to collecting traffic statistics. Lot of ways
to go about it but here's something similar
to the approach I'm using. By having separate
entries for established and new connections
on the input side, one can see both how much
traffic is arriving and how many connection
requests are arriving. Of if your node is
attacked, the second new-connection catcher
will show huge volumes of DOS traffic.
Also note the separate counters for ssh
and OR port traffic, so you can distinguish
maintenance and utilization activity.
Feel free to change all the port assignments
as suits you, even the ssh one. The example
uses defaults for illustration. Is recommended
that the OR port be assigned randomly in
order to make discovery via 'zmap' more
difficult.
22 ssh
9001 OR
443 obfs3
80 fte
587 scramblesuit
993 obfs4
The 'iptables' file loses the .txt extension
and CR characters (addded for easier MUA clicking)
and generally goes in /etc/sysconfig/iptables.
Also attaching an example statistics
display command and output, and a batch
job for collecting the information automatically
every day.iptables -nvxL | sed -e 's|10\.10\.10||' -e 's|0\.0\.0\.0/0|xx|g' | cut -c-79
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11923 41873175 ACCEPT all -- lo * xx xx
1455 127316 ACCEPT tcp -- * * xx .101 tcp dpt:22 state
RELATED,ESTABLISHED
52007 71120944 ACCEPT tcp -- * * xx .101 tcp dpt:9001 state
RELATED,ESTABLISHED
44 8243 ACCEPT tcp -- * * xx .101 tcp dpt:443 state
RELATED,ESTABLISHED
52 4998 ACCEPT tcp -- * * xx .101 tcp dpt:80 state
RELATED,ESTABLISHED
20437 4469613 ACCEPT tcp -- * * xx .101 tcp dpt:587 state
RELATED,ESTABLISHED
27 7338 ACCEPT tcp -- * * xx .101 tcp dpt:993 state
RELATED,ESTABLISHED
00 ACCEPT tcp -- * * xx xx state RELATED,ESTABLISHED
6 360 ACCEPT tcp -- * * xx .101 tcp dpt:22
52 3120 ACCEPT tcp -- * * xx .101 tcp dpt:9001
8 360 ACCEPT tcp -- * * xx .101 tcp dpt:443
11 552 ACCEPT tcp -- * * xx .101 tcp dpt:80
10 472 ACCEPT tcp -- * * xx .101 tcp dpt:587
5 220 ACCEPT tcp -- * * xx .101 tcp dpt:993
3645 216159 DROP all -- * * xx xx
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
00 DROP all -- * * xx xx
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11923 41873175 ACCEPT all -- * lo xx xx
1163 557466 ACCEPT tcp -- * * .101 xx tcp spt:22
26578 5589928 ACCEPT tcp -- * * .101 xx tcp spt:9001
4511438 ACCEPT tcp -- * * .101 xx tcp spt:443
53 2348 ACCEPT tcp -- * * .101 xx tcp spt:80
36907 45926909 ACCEPT tcp -- * * .101 xx tcp spt:587
24 1020 ACCEPT tcp -- * * .101 xx tcp spt:993
00 ACCEPT tcp -- * * xx xx
Zeroing chain `INPUT'
Zeroing chain `FORWARD'
Zeroing chain `OUTPUT'
59 23 * * * /root/daily_stats
#!/bin/dash
FILE=/home/tor/stats/$(date '+%Y%m%d')
nc 127.0.0.1 9151 EOF | dos2unix ${FILE:?}
AUTHENTICATE xxx
getinfo dir/server/authority
getinfo status/clients-seen
EOF
/sbin/iptables -nvx -L -Z ${FILE:?}
*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport22 -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 9001 -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 443 -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport80 -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 587 -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 993 -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport22 -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 9001 -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 443 -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport80 -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 587 -j ACCEPT
-A INPUT -p tcp -d 10.10.10.101 --dport 993 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -s 10.10.10.101 --sport22 -j ACCEPT
-A OUTPUT -p tcp -s 10.10.10.101 --sport 9001 -j ACCEPT
-A OUTPUT -p tcp -s 10.10.10.101 --sport 443 -j ACCEPT
-A OUTPUT -p tcp -s 10.10.10.101 --sport80 -j ACCEPT
-A OUTPUT -p tcp -s 10.10.10.101 --sport
[tor-relays] missing pluggable transport
When open tor-browser, it says
Tor failed to establish a Tor network connection.
Connecting to a relay directory failed (missing pluggable transport).
The log is below, could anyone help?
-
01/06/2015 15:03:35.786 [NOTICE] DisableNetwork is set. Tor will not make
or accept non-control network connections. Shutting down all existing
connections.
01/06/2015 15:03:35.786 [NOTICE] Opening Socks listener on 127.0.0.1:9150
01/06/2015 15:03:36.711 [WARN] The communication stream of managed proxy
'./TorBrowser/Tor/PluggableTransports/fteproxy.bin' is 'closed'. Most
probably the managed proxy stopped running. This might be a bug of the
managed proxy, a bug of Tor, or a misconfiguration. Please enable logging
on your managed proxy and check the logs for errors.
01/06/2015 15:03:36.711 [NOTICE] Failed to terminate process with PID
'30230' ('Success').
01/06/2015 15:03:37.711 [NOTICE] Bootstrapped 5%: Connecting to directory
server
01/06/2015 15:03:37.711 [WARN] We were supposed to connect to bridge
'[2001:49f0:d002:1::2]:80' using pluggable transport 'fte', but we can't
find a pluggable transport proxy supporting 'fte'. This can happen if you
haven't provided a ClientTransportPlugin line, or if your pluggable
transport proxy stopped running.
01/06/2015 15:03:37.712 [WARN] Problem bootstrapping. Stuck at 5%:
Connecting to directory server. (Can't connect to bridge; PT_MISSING; count
1; recommendation warn)
01/06/2015 15:03:39.270 [WARN] We were supposed to connect to bridge
'[2001:49f0:d00a:1::c]:80' using pluggable transport 'fte', but we can't
find a pluggable transport proxy supporting 'fte'. This can happen if you
haven't provided a ClientTransportPlugin line, or if your pluggable
transport proxy stopped running.
01/06/2015 15:03:39.270 [WARN] Problem bootstrapping. Stuck at 5%:
Connecting to directory server. (Can't connect to bridge; PT_MISSING; count
2; recommendation warn)
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
On Mon, Jan 5, 2015 at 4:11 AM, Kura k...@kura.io wrote: On a semi-related note, I run a fair number of exit and middle/guard relays that I can guarantee do not try to do anything naughty to content, feel free to test your Tor against them to see if you still get the same virus warnings, OP. I prefer the ones that replace all advertisements with kittens. And mine just sniff for passwords so don't use them ;) ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] new VPS bridge bandwidth under-reported
Hello, Just setup a new bridge running 0.2.6.1-alpha and it's working fine. The bridge is running in a Linux container VPS and appears to have an iptables traffic-shaped bandwidth limit of 400KB. Can browse and download files through it with decent performance using obfs4. However self-measurement of bandwidth, after starting at around 200Kbytes has steadily declined until now its showing 8KB and has lost the fast flag. At this point the bridge has yet to attract any traffic other then my testing usage--but it works just fine nevertheless. I suspect that latency for small transfers is fairly bad (in the sense of milliseconds, rather than seconds) and that this may be distorting bandwidth metrics. Also the number of bytes transferred is close to zero, which does not seem likely to help the situation. Should I be concerned about it? Anything anyone can recommend to correct it aside from looking another VPS provider? Does the advertised bandwidth have much effect on whether the bridge will be disseminated by the bridge database system? No stable flag yet, but not enough time has passed for this to happen. Thanks ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
What's the fingerprint of your bridge or what's the uptime? When I setup my relay the shown bandwidth was first low and increased since then to full declared speed. ~Josef Am 05.01.2015 um 11:39 schrieb starlight.201...@binnacle.cx: Oops. The rate limit I quoted is actually the limit on the DOCSIS modem here, not on the VPS. Probably not 'iptables' traffic shaping after all. Using 'speedtest_cli.py' the max rate has been showing 100 Mbits/sec, but I discount that because the speedtest node appears to reside in the same data center as the VPS and is probably on the same LAN. Nonetheless, the Tor bridge is showing a ridiculous low bandwidth value and it seems reasonable to figure out why. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
At 11:49 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: What's the fingerprint of your bridge or what's the uptime? When I setup my relay the shown bandwidth was first low and increased since then to full declared speed. Bridge is A411C021A7B95F340485A9CCE34187025193DEF6 Uptime is two+ days. Did your relay start out with a reasonable bandwidth (e.g. 200MBytes/sec) and then drop like a stone to nothing before recovering? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
Whoa wow. . . It just popped to 700KB, presumably because I used it for to browse and then download the TBB bundle as a test. So I guess that means the bandwidth measurement for a bridge is strictly passive? Presumably that also means that it is not used as a criteria for dissemination? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
I don't have that much knowledge on bridges, but I think it's the same as with relays: The speed increases after some time. I'm running 29E3D95332812F81F67FF31B3B1B842683D1C309 and as you can see from the graphs the speed increased slowly after the start. On saturday I increased the advertised bandwidth from 100 MBit/s to 200 MBit/s and reloaded tor. That's the only short drop I can see. ~Josef Am 05.01.2015 um 11:57 schrieb starlight.201...@binnacle.cx: Whoa wow. . . It just popped to 700KB, presumably because I used it for to browse and then download the TBB bundle as a test. So I guess that means the bandwidth measurement for a bridge is strictly passive? Presumably that also means that it is not used as a criteria for dissemination? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
Bridge behavior is decidedly different than normal relay behavior--I've been running one for a year. Normal relays get poked fairly often by the four BWAuth bandwidth authorities and bandwidth starts at 20KB and rises steadily from the get-go. I suppose the bandwidth calculation is passive in both situations, but with a new bridge there is zero traffic until it's given out to users. So the self-calculation decays steadily to zero instead of rising steadily as with a regular relay. Regular relays get hit with traffic as soon as they show up in the authority consensus. At 12:05 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I don't have that much knowledge on bridges, but I think it's the same as with relays: The speed increases after some time. I'm running 29E3D95332812F81F67FF31B3B1B842683D1C309 and as you can see from the graphs the speed increased slowly after the start. On saturday I increased the advertised bandwidth from 100 MBit/s to 200 MBit/s and reloaded tor. That's the only short drop I can see. ~Josef Am 05.01.2015 um 11:57 schrieb starlight.201...@binnacle.cx: Whoa wow. . . It just popped to 700KB, presumably because I used it for to browse and then download the TBB bundle as a test. So I guess that means the bandwidth measurement for a bridge is strictly passive? Presumably that also means that it is not used as a criteria for dissemination? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
BTW you are running normal Tor public relay rather than a Bridge. At 12:05 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I'm running 29E3D95332812F81F67FF31B3B1B842683D1C309 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Help - My relay consensus has been stripped back to 20
Mine just jumped to 18,000, again I'd like to stress that I have not changed anything in my torrc: https://atlas.torproject.org/#details/3D7E274A87D9A89AF064C13D1EE4CA1F184F2600 On 04.01.2015 11:13 PM, bigbud...@safe-mail.net wrote: Message: 3 Date: Sat, 03 Jan 2015 02:30:55 +0100 From: Sebastian Urbach sebast...@urbach.org To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Help - My relay consensus has been stripped backto 20 Message-ID: 14aad6973e8.27ae.e04ee758f2dadc1889b5b423dda55...@urbach.org Content-Type: text/plain; charset=UTF-8; format=flowed On January 3, 2015 2:03:33 AM bigbud...@safe-mail.net wrote: Hi, As i recall there was a mail from Giovanny a few days ago and he reported his relay being down. But he had log file entries like: [warn] http status 400 (Authdir is rejecting routers in this range.) response from dirserver '128.31.0.39:9131'. Any of those in your log ? No I don't see anything resembling that, although I am seeing these events messages in the logs every couple of hours: Dec 30 07:52:28.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 09:55:29.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 11:52:24.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 13:53:23.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 15:52:20.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 16:06:34.000 [info] router_upload_dir_desc_to_dirservers(): Uploading relay descriptor to directory authorities Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 16:06:34.000 [info] directory_post_to_dirservers(): Uploading an extrainfo too (length 3891) Dec 30 17:52:19.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 19:53:18.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 21:39:02.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 30 23:33:58.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 31 01:32:55.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 31 02:52:13.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. Dec 31 05:05:32.000 [info] router_pick_dirserver_generic(): No dirservers are reachable. Trying them all again. I don't appear to have any routing issues, resolution issues or similar but don't have logs old enough to see if this is an unusual log event or not, it may be completely unrelated. As it stands I am afraid that there doesn't seem to be any real alternative other than decommissioning this exit relay. It is costing money and doing nobody any good right now. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
Oops. The rate limit I quoted is actually the limit on the DOCSIS modem here, not on the VPS. Probably not 'iptables' traffic shaping after all. Using 'speedtest_cli.py' the max rate has been showing 100 Mbits/sec, but I discount that because the speedtest node appears to reside in the same data center as the VPS and is probably on the same LAN. Nonetheless, the Tor bridge is showing a ridiculous low bandwidth value and it seems reasonable to figure out why. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
On Mon, Jan 5, 2015 at 3:33 AM, Kura k...@kura.io wrote: I would say that maybe it's a possibility that traffic gets flagged as such too? ... antivirus [...] one that does traffic inspection Oh, well that could be too. Tor traffic is crypted/obfuscated and thus could generate a random hit that AV points at the Tor binary as responsible for. But the OP is getting URL's from AV so it may be watching his localhost SOCKS for http streams. What's weird is OP's Object is https://, which is not terminated to plaintext anywhere but in the browser or tor. Perhaps not enough info. machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week. Gratuitous listing by AVG perhaps? On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote: The antivirus program on a machine running a bridge occasionally reports like so: Object: https:// Infection: URL:Mal [sic] Process: ... \tor.exe ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
On 05/01/2015 08:59:41, grarpamp grarp...@gmail.com wrote: On Mon, Jan 5, 2015 at 3:33 AM, Kura wrote: I would say that maybe it's a possibility that traffic gets flagged as such too? ... antivirus [...] one that does traffic inspection Oh, well that could be too. Tor traffic is crypted/obfuscated and thus could generate a random hit that AV points at the Tor binary as responsible for. But the OP is getting URL's from AV so it may be watching his localhost SOCKS for http streams. What's weird is OP's Object is https://, which is not terminated to plaintext anywhere but in the browser or tor. Perhaps not enough info. Kura: Indeed. I'm not exactly sure how or why that would be the case but, I thought my recent experiences with Tor on Windows might at least shed another piece of light on how AVs sometimes treat Tor. May be related, may be totally unrelated. From the error, you would expect the AV to be picking out content it deems as dangerous from the final response, i.e. the destination after the exit but, that seems a little odd to me, unless the AV consistently lists the same page as having a virus. machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week. Gratuitous listing by AVG perhaps? Kura: Quite possibly. AV companies are odd with how they treat certain things. Keygen programs on Windows are another big thing that they used to flag even if they were not dangerous at all. On a semi-related note, I run a fair number of exit and middle/guard relays that I can guarantee do not try to do anything naughty to content, feel free to test your Tor against them to see if you still get the same virus warnings, OP. On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote: The antivirus program on a machine running a bridge occasionally reports like so: Object: https:// Infection: URL:Mal [sic] Process: ... \tor.exe ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
On Mon, Jan 5, 2015 at 2:30 AM, eliaz el...@riseup.net wrote: The antivirus program on a machine running a bridge occasionally reports like so: Object: https://some IP address Infection: URL:Mal [sic] Process: ... \tor.exe When I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits. Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here? Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic. Thanks for any enlightenment - eliaz Since the internet is known to be an infected wasteland, and exits are known to MITM your streams, I'd suggest either compartmentalizing all your surfing in a disposable VM (which should probably be done anyways), or excluding web traffic from your scanner. Additionally, if you are able to isolate and confirm that a specific exit is MITM'ing you (vs the malware/virus being on the original clearnet site itself) feel free to post its fingerprint here so that the workers can double check and dirauths can give it the bad exit flag. Unfortunately Tor doesn't have simple logging format that you can watch in real time alongside your scanner. I'm finishing a spec ticket for that soon though. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
I know. That's why I said that I don't have that much knowledge about bridges but think that they are treated like relays. Am 05.01.2015 um 12:18 schrieb starlight.201...@binnacle.cx: BTW you are running normal Tor public relay rather than a Bridge. At 12:05 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I'm running 29E3D95332812F81F67FF31B3B1B842683D1C309 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
Unquestionably Bridges are different. Suggest you read about it--lots of info to be found. At 13:08 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I know. That's why I said that I don't have that much knowledge about bridges but think that they are treated like relays. Am 05.01.2015 um 12:18 schrieb starlight.201...@binnacle.cx: BTW you are running normal Tor public relay rather than a Bridge. At 12:05 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I'm running 29E3D95332812F81F67FF31B3B1B842683D1C309 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
I meant treated like relays in relation to traffic ... Am 05.01.2015 um 13:22 schrieb starlight.201...@binnacle.cx: Unquestionably Bridges are different. Suggest you read about it--lots of info to be found. At 13:08 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I know. That's why I said that I don't have that much knowledge about bridges but think that they are treated like relays. Am 05.01.2015 um 12:18 schrieb starlight.201...@binnacle.cx: BTW you are running normal Tor public relay rather than a Bridge. At 12:05 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I'm running 29E3D95332812F81F67FF31B3B1B842683D1C309 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fwd: [tor-talk] please advise on renting a gigabit capable dedicated server
Libertas: Hi tor users, my coworkers and I are considering getting together to run a gigabit exit relay and are curious if you all have advice as to the best place to go shopping for a server with 1gbps dedicated bandwidth in a location that is helpful to the network. Someone on irc pointed me to this list, but I'm happy to ask on another if it would be more appropriate. Thanks in advance! Some friends and I used to run a 1GBit Reduced Exit[1] in the US at Applied Operations[2] for $800/mo, which included hardware rental. Not sure if that deal is still available, but they were Tor-friendly. 1. https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy 2. http://www.appliedops.net/. -- Mike Perry signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
Apparently not. At 13:25 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I meant treated like relays in relation to traffic ... ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
Hello list, I'm new to this but got my node up and running on a MK802 arm device. However, tor-arm keep complaining about missing history. The exact message is: Read the last day of bandwidth history from the state file (9 minutes is missing) Does anyone know why this is but more important, how to solve? Greets, FreedomBitcoin 2015-01-05 11:49 GMT+01:00 Josef 'veloc1ty' Stautner he...@veloc1ty.de: What's the fingerprint of your bridge or what's the uptime? When I setup my relay the shown bandwidth was first low and increased since then to full declared speed. ~Josef Am 05.01.2015 um 11:39 schrieb starlight.201...@binnacle.cx: Oops. The rate limit I quoted is actually the limit on the DOCSIS modem here, not on the VPS. Probably not 'iptables' traffic shaping after all. Using 'speedtest_cli.py' the max rate has been showing 100 Mbits/sec, but I discount that because the speedtest node appears to reside in the same data center as the VPS and is probably on the same LAN. Nonetheless, the Tor bridge is showing a ridiculous low bandwidth value and it seems reasonable to figure out why. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
That's what 'we' found out now :-) Am 05.01.2015 um 13:50 schrieb starlight.201...@binnacle.cx: Apparently not. At 13:25 1/5/2015 +0100, Josef 'veloc1ty' Stautner wrote: I meant treated like relays in relation to traffic ... ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new VPS bridge bandwidth under-reported
At 13:52 1/5/2015 +0100, you wrote: That's what 'we' found out now :-) I figured it out. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Help - My relay consensus has been stripped back to 20
Original Message From: tor-relays-requ...@lists.torproject.org Apparently from: tor-relays-boun...@lists.torproject.org To: tor-relays@lists.torproject.org Subject: tor-relays Digest, Vol 48, Issue 15 Date: Mon, 05 Jan 2015 11:05:49 + Message: 3 Date: Mon, 05 Jan 2015 11:36:59 +0100 From: Network Operations Center n...@schokomil.ch To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Help - My relay consensus has been stripped backto 20 Message-ID: 84a966b4ad0f4d6a230d7b51f1d6b...@schokomil.ch Content-Type: text/plain; charset=UTF-8; format=flowed Mine just jumped to 18,000, again I'd like to stress that I have not changed anything in my torrc: https://atlas.torproject.org/#details/3D7E274A87D9A89AF064C13D1EE4CA1F184F2600 Yup, me too. Seems to be back thankfully. Would love to know why though best BB ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fwd: [tor-talk] please advise on renting a gigabit capable dedicated server
I have a question. Do you mean with to go shopping for a server buying hardware yourself and rent rackspace or searching for an offer of a dedicated server? Am 05.01.2015 um 15:14 schrieb Mike Perry: Libertas: Hi tor users, my coworkers and I are considering getting together to run a gigabit exit relay and are curious if you all have advice as to the best place to go shopping for a server with 1gbps dedicated bandwidth in a location that is helpful to the network. Someone on irc pointed me to this list, but I'm happy to ask on another if it would be more appropriate. Thanks in advance! Some friends and I used to run a 1GBit Reduced Exit[1] in the US at Applied Operations[2] for $800/mo, which included hardware rental. Not sure if that deal is still available, but they were Tor-friendly. 1. https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy 2. http://www.appliedops.net/. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
grarpamp: On Mon, Jan 5, 2015 at 3:33 AM, Kura k...@kura.io wrote: I would say that maybe it's a possibility that traffic gets flagged as such too? ... antivirus [...] one that does traffic inspection Oh, well that could be too. Tor traffic is crypted/obfuscated and thus could generate a random hit that AV points at the Tor binary as responsible for. But the OP is getting URL's from AV so it may be watching his localhost SOCKS for http streams. This may perhaps help: Running the bridge I regularly get: [Warning] Rejecting SOCKS request for anonymous connection to private address [scrubbed]. [1 similar message(s) suppressed in last 300 seconds] I can't unscrub these msgs (SafeLogging doesn't seem to work for tor 4.0.2 and standalone vidalia.) I haven't been able to track down the processes involved. Since they're private, I assume they're broadcasts so ignore them. There some conversations about this on one of the lists some time ago, and the advice was to ignore. What's weird is OP's Object is https://, which is not terminated to plaintext anywhere but in the browser or tor. Perhaps not enough info. machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week. Gratuitous listing by AVG perhaps? On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote: The antivirus program on a machine running a bridge occasionally reports like so: Object: https:// Infection: URL:Mal [sic] Process: ... \tor.exe ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] how to monitor traffick through a bridge
Hi, I would like to know how one can monitor traffic that goes through a bridge. I have set one up and would like to know whether it is being used or not, and how much. Thanks! ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fwd: [tor-talk] please advise on renting a gigabit capable dedicated server
I personally run exits with various providers, the connectivity varies with each but there are three I think are worth mentioning. https://www.flokinet.is/servers It's worth noting that their Romanian servers actually have unmetered bandwidth. https://en.alexhost.md/dedicated-server-in-moldova.html Good provider, unmetered traffic. Only 100Mbps though. http://www.online.net/en/dedicated-server/dedibox-xc I have a couple of those. 1Gbps link with guaranteed 150Mbps and unmetered for €15.99 / month. -- Kura t: @kuramanga [https://twitter.com/kuramanga] w: https://kura.io/ [https://kura.io/] g: @kura [http://git.io/kura] On 05/01/2015 15:13:08, Josef 'veloc1ty' Stautner he...@veloc1ty.de wrote: If you search for renting an already racked server I recommend to you ViralVPS.com Just don't be irritated by the name :-) They also have physical dedicated server for a nice price. Link: https://clients.viralvps.com/cart.php?gid=10 [https://clients.viralvps.com/cart.php?gid=10] In general: For 100 British Pounds excluding VAT you get CPU: Intel Xeon E5-2603 (4C/4T @1,8 GHz) RAM: 16 GB Storage: 120 GB SATA3 SSD 1 GBit/s Switchport 20 TB monthly traffic included 5 IPv4 addresses /64 IPv6-Subnet Everything stored in a 19 Supermicro case. IPMI with chassis intrustion detectio. The webinterface of the IPMI is only available via OpenVPN. I also have one of these and I'm running multiple stuff and my tor exit relay on such a machine. ViralVPS has some racks in the Severius Datacenter in the Netherlands. I recommend this hoster because of the good internet connectivity. If you really need 24/7 1 GBit/s you'll get that there without any complaints. Of course you should plan in some more money for the overage traffic. Another great benefit is that you can design your harddrives as you want. No need for RAIDs or kind of that stuff. Another thing I want to mention is the support :-) Normally the response time is below 30 minutes. BTW: If this was too much advertisement I want to apologize. ~Josef Am 05.01.2015 um 15:42 schrieb Josef 'veloc1ty' Stautner: http-equiv=Content-Type I have a question. Do you mean with to go shopping for a server buying hardware yourself and rent rackspace or searching for an offer of a dedicated server? Am 05.01.2015 um 15:14 schrieb Mike Perry: type=cite Libertas: Hi tor users, my coworkers and I are considering getting together to run a gigabit exit relay and are curious if you all have advice as to the best place to go shopping for a server with 1gbps dedicated bandwidth in a location that is helpful to the network. Someone on irc pointed me to this list, but I'm happy to ask on another if it would be more appropriate. Thanks in advance! Some friends and I used to run a 1GBit Reduced Exit[1] in the US at Applied Operations[2] for $800/mo, which included hardware rental. Not sure if that deal is still available, but they were Tor-friendly. 1. https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy [https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy] 2. http://www.appliedops.net/ [http://www.appliedops.net/]. ___ tor-relays mailing list tor-relays@lists.torproject.org [mailto:tor-relays@lists.torproject.org] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays] ___ tor-relays mailing list tor-relays@lists.torproject.org [mailto:tor-relays@lists.torproject.org] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays] ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] how to monitor traffick through a bridge
On Monday 05 January 2015 17:40:09 mattia wrote: Hi, I would like to know how one can monitor traffic that goes through a bridge. I have set one up and would like to know whether it is being used or not, and how much. Thanks! You might try arm: https://www.atagar.com/arm/ A nice ncurses based monitoring tool. Regards, torland ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] how to monitor traffick through a bridge
Hi! Hi, I would like to know how one can monitor traffic that goes through a bridge. I have set one up and would like to know whether it is being used or not, and how much. Thanks! I use iptables to count packets/bytes - though I'm sure nicer ways exist for the task :) Renke signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] how to monitor traffick through a bridge
On 01/05/2015 06:16 PM, tor-ad...@torland.me wrote: On Monday 05 January 2015 17:40:09 mattia wrote: Hi, I would like to know how one can monitor traffic that goes through a bridge. I have set one up and would like to know whether it is being used or not, and how much. Thanks! You might try arm: https://www.atagar.com/arm/ or use stem and write your own tool : https://stem.torproject.org/tutorials.html -- Toralf pgp key: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 0076 E94E ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] how to monitor traffick through a bridge
mattia: Hi, I would like to know how one can monitor traffic that goes through a bridge. I have set one up and would like to know whether it is being used or not, and how much. Thanks! The advice so far given is for tor on linux, and won't do you any good if you're running a windows OS. If you are, let us know. Also let us know if you're running a tor bridge bundle or tor browser + standalone vidalia. - eliaz ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] how to monitor traffick through a bridge
Mon 05 Jan 2015, 18:04, eliaz: mattia: Hi, I would like to know how one can monitor traffic that goes through a bridge. I have set one up and would like to know whether it is being used or not, and how much. Thanks! The advice so far given is for tor on linux, and won't do you any good if you're running a windows OS. If you are, let us know. Also let us know if you're running a tor bridge bundle or tor browser + standalone vidalia. - eliaz Thank you very much for all the precious advice. I am running tor on linux. I have simply set up tor from the official deb repository and configured it to work as a bridge (I'm afraid my ISP is not tor-friendly enough to allow me manage an exit node). I'm currently having a power supply issue, but when this is resolved I will try your suggestions ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
On Mon, Jan 5, 2015 at 11:15 AM, eliaz el...@riseup.net wrote: processes involved. Since they're private, I assume they're broadcasts Private are RFC1918. Broadcasts are 255.255.255.255 or the subnet based versions of same. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
Kura: Some thing to take in to account as well is that some AVs are known to flag Tor as a virus, I would say that maybe it's a possibility that traffic gets flagged as such too? I've never used an antivirus, let alone one that does traffic inspection so obviously this is conjecture on my part. Are you referring to tor client operation as well as bridge operation? I run my tor client on a box that I use as needed, and the bridge on a separate 24/7 box. As an example, when I helped a friend set-up Tor Browser on his Windows machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week. Even on the as-needed box I run the client under tor. I've never gotten these alerts when running the client. - eliaz ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Fwd: [tor-talk] please advise on renting a gigabit capable dedicated server
If you search for renting an already racked server I recommend to you ViralVPS.com Just don't be irritated by the name :-) They also have physical dedicated server for a nice price. Link: https://clients.viralvps.com/cart.php?gid=10 In general: For 100 British Pounds excluding VAT you get CPU: Intel Xeon E5-2603 (4C/4T @1,8 GHz) RAM: 16 GB Storage: 120 GB SATA3 SSD 1 GBit/s Switchport 20 TB monthly traffic included 5 IPv4 addresses /64 IPv6-Subnet Everything stored in a 19 Supermicro case. IPMI with chassis intrustion detectio. The webinterface of the IPMI is only available via OpenVPN. I also have one of these and I'm running multiple stuff and my tor exit relay on such a machine. ViralVPS has some racks in the Severius Datacenter in the Netherlands. I recommend this hoster because of the good internet connectivity. If you really need 24/7 1 GBit/s you'll get that there without any complaints. Of course you should plan in some more money for the overage traffic. Another great benefit is that you can design your harddrives as you want. No need for RAIDs or kind of that stuff. Another thing I want to mention is the support :-) Normally the response time is below 30 minutes. BTW: If this was too much advertisement I want to apologize. ~Josef Am 05.01.2015 um 15:42 schrieb Josef 'veloc1ty' Stautner: I have a question. Do you mean with to go shopping for a server buying hardware yourself and rent rackspace or searching for an offer of a dedicated server? Am 05.01.2015 um 15:14 schrieb Mike Perry: Libertas: Hi tor users, my coworkers and I are considering getting together to run a gigabit exit relay and are curious if you all have advice as to the best place to go shopping for a server with 1gbps dedicated bandwidth in a location that is helpful to the network. Someone on irc pointed me to this list, but I'm happy to ask on another if it would be more appropriate. Thanks in advance! Some friends and I used to run a 1GBit Reduced Exit[1] in the US at Applied Operations[2] for $800/mo, which included hardware rental. Not sure if that deal is still available, but they were Tor-friendly. 1. https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy 2. http://www.appliedops.net/. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] IP addresses as false positives?
grarpamp: On Mon, Jan 5, 2015 at 2:30 AM, eliaz el...@riseup.net wrote: The antivirus program on a machine running a bridge occasionally reports like so: Object: https://some IP address Infection: URL:Mal [sic] Process: ... \tor.exe When I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits. Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here? Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic. Thanks for any enlightenment - eliaz Since the internet is known to be an infected wasteland, and exits are known to MITM your streams, Do you mean my streams in particular or all streams? I'd suggest either compartmentalizing all your surfing in a disposable VM (which should probably be done anyways), or excluding web traffic from your scanner. I run in a dedicated low-power box on my LAN, to save electricity. Is that as good as a VM? I've got VMs on the other machine, which is a power hog not run continuously. Additionally, if you are able to isolate and confirm that a specific exit is MITM'ing you (vs the malware/virus being on the original clearnet site itself) feel free to post its fingerprint here so that the workers can double check and dirauths can give it the bad exit flag. I don't know how to confirm that exits are MITMs. I can post the FPs of the ones that show up, though. So far all the alerts lead me to recognizable nodes that show up OK in Atlas, etc. Unfortunately Tor doesn't have simple logging format that you can watch in real time alongside your scanner. I'm finishing a spec ticket for that soon though. The alerts appear randomly at intervals of several days. The AV program alert is via a popup, which I can get later by asking the AV to show last popup. I guess I should get up to speed in wireshark, but it's gonna result in a monster file by the time it catches anything. Thanks for writing up the spec, I'll try to follow the conversation. - eliaz ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
