[tor-relays] Many inbound and outbound connections but no circuits
Hello, I've been running a relay for some weeks. It has now earned the stable flag. Despite this I always have more than 500 inbound and outbound connections but no circuits at all. Is this normal? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Ports 443 and 80 are open, but 443 not Tor reachable
Hello everyone, this is my first post, and would be very grateful for help. My Tor relay (0.2.5.10 and now compiled from source) has had a checkered history since I installed it, first on an Efika MX in December (which proved unstable), and then on a Raspberry Pi model 2 (Linux 3.18.8-v7+) starting a couple or so weeks ago. In trying to follow recommendations, and wanting to be helpful to less fortunate souls, I changed from the usual ORPort 9001 and DirPort 9030 (which worked) to ports 443 and 80 respectively. I now know that this is a pathway to misery and sorrow. With ORPort 443 Tor could not confirm the port was reachable even though it was wide open to online port checkers and nmap -sT -O localhost shows ports 22/tcp, 80/tcp, 443/tcp to be open. And yet torstatus monitors show many relays displaying ports ORPOrt 443 and DirPort 80 running on Linux. Yesterday I swapped the ports and within a moment ORPort 80 was confirmed and server descriptor published. DirPort 443 fails to confirm it is reachable. sudo iptables -L -nv Chain INPUT (policy DROP 4328 packets, 200K bytes) nbsp;pkts bytes targetnbsp;nbsp;nbsp;nbsp; prot opt innbsp;nbsp;nbsp;nbsp; outnbsp;nbsp;nbsp;nbsp; sourcenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; destination nbsp;144Knbsp;nbsp; 60M ACCEPTnbsp;nbsp;nbsp;nbsp; allnbsp; --nbsp; lonbsp;nbsp;nbsp;nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp; 91861nbsp;nbsp; 23M ACCEPTnbsp;nbsp;nbsp;nbsp; tcpnbsp; --nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; tcp dpt:80 nbsp;4711 1087K ACCEPTnbsp;nbsp;nbsp;nbsp; tcpnbsp; --nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; tcp dpt:443 1497Knbsp; 202M ACCEPTnbsp;nbsp;nbsp;nbsp; allnbsp; --nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 192.168.1.0/24nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0..0/0nbsp;nbsp; nbsp;nbsp;nbsp; 0nbsp;nbsp;nbsp;nbsp; 0 ACCEPTnbsp;nbsp;nbsp;nbsp; icmp --nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; icmptype 8 1221K 1521M ACCEPTnbsp;nbsp;nbsp;nbsp; allnbsp; --nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp; *nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 0.0.0.0/0nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) nbsp;pkts bytes targetnbsp;nbsp;nbsp;nbsp; prot opt innbsp;nbsp;nbsp;nbsp; outnbsp;nbsp;nbsp;nbsp; sourcenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; destination Chain OUTPUT (policy ACCEPT 2929K packets, 1979M bytes) nbsp;pkts bytes targetnbsp;nbsp;nbsp;nbsp; prot opt innbsp;nbsp;nbsp;nbsp; outnbsp;nbsp;nbsp;nbsp; sourcenbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; destination So what is it about port 443 on my little RP 2 that Tor dislikes? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] New relay operator. Basic security practices?
Hello all. I'm running a new relay, relayacab, at apexy in DE on a minimal Debian 7 OS. Is there a best practices guide for basic security setup? This is my first time operating a remote machine, running a relay, and having any public service to harden. So I'd really like to take this opportunity to do this the right way and continue on a productive path in supporting the tor network. Thanks! +-- relayacab +-- https://atlas.torproject.org/#details/18002B828F1E9237B616DE8C8968F4E6C7520BB4 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Legal Troubles
Hi * I am just doing some planning for my own exits at the moment and researching the legal provisions and experience for a variety of jurisdictions. my story is rather typical - I'm not proud of it but hopefully someone will learn my lesson w/o legal fees :) I'm located in Germany and ran an exit at my home DSL, in 2008 and 2009 (that's half of the I'm not proud part). Someone opened/cracked a box and used it to distribute child pornography, the owner realised this some time later and the police found my IP address in the logs. After nearly one year (I'm still baffled, one would hope this kind of crime is handled faster) my flat was searched and every single computer seized: To be clear, I was the one charged with this crime, the prosecutor wasn't aware (or ignored) the Tor node. After 1.5 years (or so) the case was closed because the prosecutor wasn't able to prove my guilt[0]. During the criminal proceedings I discussed with my lawyer if we should disclose the Tor node but we decided this would only complicate the matter. Today I run only a middle relay, exit nodes in Germany should imho always part of an umbrella organisation (e.g. an Eingetragener Verein [registered association?], ignoring this is part 2 of I'm not proud) so an individual is not personally liable (if someone is interested: I donate to the Wau Holland Stiftung[1], one project of this trust is supporting the Tor network). Renke [0] I know I'm not guilty ;) [1] http://www.wauland.de/en/index.php ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] New relay operator. Basic security practices?
You may wish to revise your guide to better SSH. https://stribika.github.io/2015/01/04/secure-secure-shell.html Particularly, running it through a Tor HS. Other ideal reading is the BetterCrypto guide: https://bettercrypto.org/static/applied-crypto-hardening.pdf Cheers On Wed, Mar 4, 2015 at 11:36 AM, Libertas liber...@mykolab.com wrote: On 03/04/2015 02:05 PM, relay_a...@openmailbox.org wrote: Hello all. I'm running a new relay, relayacab, at apexy in DE on a minimal Debian 7 OS. Is there a best practices guide for basic security setup? This is my first time operating a remote machine, running a relay, and having any public service to harden. So I'd really like to take this opportunity to do this the right way and continue on a productive path in supporting the tor network. Thanks! +-- relayacab I wrote this recently: https://gist.github.com/plsql/49e642d5bce835df2946 Thanks so much for considering security! It's a very important and often neglected aspect of Tor relay operation. Let me know what you think of the document. Libertas ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Ports 443 and 80 are open, but 443 not Tor reachable
On Wed, 04 Mar 2015 16:31:27 +0100 oseump ose...@proxymail.eu wrote: With ORPort 443 Tor could not confirm the port was reachable even though it was wide open to online port checkers and nmap -sT -O localhost shows ports 22/tcp, 80/tcp, 443/tcp to be open. Where are you running this from? You said a Raspberry Pi; Is this on a home/residential network? If so, my first inclination is that your ISP is blocking incoming connections on certain ports. I know this is common in my area with port 25, 80, and 443 to prevent customers from running servers. A netstat/nmap on localhost will confirm that Tor is listening on the port, but wont confirm the outside world can access it. You said you used online port checkers - double check this. Try running a simple http server on port 443 (you don't need to setup ssl necessarily, just run it at http://1.2.3.4:443) and seeing if you can connect from your mobile phone or something. I believe you when you said you checked, but sometimes online port checkers can be iffy and even your ISP might be doing some weird conditional filtering. I run my Tor relays on 443 and it worked without issue. And yet torstatus monitors show many relays displaying ports ORPOrt 443 and DirPort 80 running on Linux. Yesterday I swapped the ports and within a moment ORPort 80 was confirmed and server descriptor published. DirPort 443 fails to confirm it is reachable. So what is it about port 443 on my little RP 2 that Tor dislikes? pgptQDNxzAh6O.pgp Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] multi tor instance support for startup scripts (RPM)
On 03/02/2015 12:22 AM, Nusenu wrote: When it comes to the RPM packages I have to think about our past systemd migration discussion [1] that got stuck. Yes I remember [2]. Should I pick that up again before writing anything that gets obsolete as soon as you migrate to systemd? (or did you give up on systemd migration?) If you want to write the patch for multi-instance, don't focus on systemd. I don't plan systemd migration anytime soon since current system works and systemd migration would require systemd support on all platforms (not going to happen for EL6 any time soon). I already had had heavily ifdef-ed packaging system because of EL5 and it was major PITA that caused some unpleasant bugs along the way. [2] https://lists.torproject.org/pipermail/tor-dev/2014-August/007363.html ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] New relay operator. Basic security practices?
I wrote this recently: https://gist.github.com/plsql/49e642d5bce835df2946 Thanks so much for considering security! It's a very important and often neglected aspect of Tor relay operation. Let me know what you think of the document. Libertas I just started to look at it, but it seems to be EXACTLY what I was looking for. Thank you so much! +-- relayacab +-- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Legal Troubles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey all, I am just doing some planning for my own exits at the moment and researching the legal provisions and experience for a variety of jurisdictions. If anyone has any experience of raids as a result of running a Tor relay or other legal troubles, I'd appreciate it if you got in touch (privately preferably) for a quick chat. Of course any information supplied will be kept anonymous unless you are explicitly happy to make a statement openly about it. Sharing our experiences will certainly help us understand the climate much better. Regards, T - -- Activist, anarchist and a bit of a dreamer. Keybase: https://keybase.io/thomaswhite PGP Keys: https://www.thecthulhu.com/pgp-keys/ Current Fingerprint: BA81 407C BD61 CD15 E5D9 ADA9 5FA2 426F F34E 0FD4 Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0 Twitter: @CthulhuSec XMPP: thecthulhu at jabber.ccc.de XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBAgAGBQJU9wF8AAoJEF+iQm/zTg/ULJcQAJsrVYjdBpXiIGKcN7fFuDzm RqttupBoTifsKpWfX46lgnSAquZQ6qDMqT2zBZ0fe7fni1vfp/E9bld8ryLTLvoK to47exo08HLj+9H6ZaVwirdRC94GHYOViCE/4BMm0VWEXrFww5ytAuCrukhIzK/Z QS/Lgu3tI/BubHS02hkI5sZNO9Ej9T4wlYREyRdldI7j4zBP/FhQCEfJY5g0U3gb AnW2Go+ItINuFLsccr9m/uCuIwBz6o/WNHgLp8B4wU2T9hvWNxc/h1P5Y9l5RrWx N9/wgCT1K8Dw8OjvdfUchzbcOQo8C+1aWbYPy0eK7v+5V8PyCrU4DGtvJRO36iNV TcpxXRFcsAjOGYOo1bMDF6g2sLj3T22zoS76BNTtq7F7i1JDkDHY3j2uXHG0Ex2j hPVFsjHDr4+qqfS98knW4bpLjEOnYZUMrvuSE5iQG1ngMqFV1mpWZVHbWQozL3cb ZXm9kxY9HeVCwyc4a2V+TWY2QvYIaVaMTaXyUfh8lOTshrnPV3KagLozaaAWHS/u KFEbDfF0iJFD6muvxbu0yVRsIcrkPryJDjlGcbxH3pKEntaZgXVK/MJB6X/TLNsI l2KC4OlCeW2sScNc9epiAy15HgNswWvKbwM6WjreNf+sbZ/7vvSrLcNXdzoRHBwt +evkDqeeobkhAWPMlBU+ =vv6k -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] are relays susceptible to the latest OpenSSL freak attack
On Wed, Mar 4, 2015 at 5:26 AM, starlight.201...@binnacle.cx wrote: Cipher-downgrade CVE-2015-0204 fixed in OpenSSL 1.0.1k. usual sensational write-up courtesy of El-Reg http://theregister.co.uk/security I believe this doesn't affect Tor relays or clients, because we have never supported export ciphers or generated export keys. For operators who don't obsess over non-critical OpenSSL releases, is it time to catch up? I would suggest that everybody should update their openssl releases as a matter of best practice, IMNSHO. For more information, Matthew Green's writeup is quite informative: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays