Re: [tor-relays] Is OVH a safe vps provider to run an exit relay on?

[William Kane]

Hi,

As gus pointed out, Hetzner, OVH, Online S.A.S (now owned by and
called Scaleway), and DigitalOcean should be avoided at all costs, and
yes, even for bridges.

Please try to find a host that hosts as few (publicly listed) tor
relays as possible for your bridge or relay.

- William

On 02/04/2021, Keifer Bly  wrote:
> Would running a bridge on ovh  be ok? Thanks.
> --Keifer
>
>
> On Thu, Apr 1, 2021 at 1:29 AM William Kane 
> wrote:
>
>> Hi,
>>
>> no, OVH is the second most commonly used hosting provider, another
>> relay hosted there would hurt the network more than it would help:
>>
>> https://metrics.torproject.org/bubbles.html#as
>>
>> We need to make the network as diverse as possible, in order to make
>> it as hard as possible for law enforcement and other bad actors to
>> de-anonymize tor circuits.
>>
>> If you really want to help us out, here's what I advise you to do:
>>
>> - Rent a dedicated machine, with a new-ish CPU (supporting VT-x and
>> AES-NI, and good single thread performance since tor is mostly
>> single-threaded).
>> - Get your own subnet, it doesn't have to be huge, but make sure you
>> are allowed to change the abuse-mailbox field to an e-mail you own, so
>> your host doesn't get flooded with automated and mostly useless abuse
>> reports and terminates your service in response.
>> - Make use of QEMU/KVM and create one virtualized instance for each
>> set of two relays (maximum amount of relays sharing the same public
>> address is 2).
>> - Make use of the CPU-pinning feature offered by libvirt, and the
>> isolcpus kernel argument to isolate all but two cores from the
>> kernel's scheduler, and pin two cores to each VM.
>> - Disable all CPU mitigations (mitigations=off on the kernel command
>> line) to increase performance, since you are only installing signed
>> packages anyway, there is no untrusted code running on the system,
>> which means there is no need for any mitigations to be active.
>> - Make sure you have an unmetered traffic plan and at the very least
>> 1, but best case 2 1Gbit/s uplinks.
>>
>> With a somewhat modern CPU supporting hardware AES acceleration, this
>> should get you 150 to 200 Mbps per tor instance, at least that's my
>> experience when I ran the setup described above around 4 years ago.
>>
>> On a last note, whatever you decide to do, please don't settle for
>> some overused host just because it's easier or cheaper - you might as
>> well not host a relay at all, then.
>>
>> Look for a host, get it's AS ID, then input it here:
>> https://metrics.torproject.org/rs.html#search/as:
>>
>> Example:
>>
>> https://metrics.torproject.org/rs.html#search/as:AS197019
>>
>> If this was a bit too much, I apologize - I will gladly answer any
>> questions you have.
>>
>> - William
>>
>> On 30/03/2021, Keifer Bly  wrote:
>> > Hi,
>> >
>> >
>> >
>> > I am wondering if OVH is a safe VPS provider to run an exit relay on?
>> Thank
>> > you.
>> >
>> >
>> >
>> > --Keifer
>> >
>> >
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Many SSH requests

[Cristiano Kubiaki Gomes]

Thank you all for the recommendation. It took some time but I think I am
relatively safer now.

And also learned a lot. Much appreciated.

All the best!

On Fri 2 Apr 2021 at 11:40, The Doctor [412/724/301/703/415/510] <
dr...@virtadpt.net> wrote:

> ‐‐‐ Original Message ‐‐‐
> On Wednesday, March 31, 2021 9:35 AM, Cristiano Kubiaki Gomes <
> cristiano...@gmail.com> wrote:
>
> O noticed many ssh requests to my Debian VM running a Relay and I am
> wondering if this is normal or if this is happening only with me.
> Anyone else see this ssh attemptives? Is it normal?
>
>
> Yup, it's background radiation on the Internet.  We all get them.
>
> If SSH key authentication only isn't enabled, turn it on.  Change the port
> sshd is listening on.
> Set up fail2ban to further protect the new port (I get a lot of portscans
> hammering my nodes
> looking for the new sshd port followed by brute force attempts, so may as
> well cut 'em off
> at the knees).
>
> Or set up a hidden service for sshd on the box and reconfigure it to
> listen on the loopback only.
> You'll only be able to SSH in over the Tor network after that, but it'll
> cut the login attempts way
> down.
>
> The Doctor [412/724/301/703/415/510]
> WWW: https://drwho.virtadpt.net/
> The old world is dying, and the new world struggles to be born. Now is the
> time of monsters.
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-- 
Cristiano Kubiaki
Telegram  | LinkedIn
 | Twitter

ITIL - MCP - MCDST - MCTS - DCSE
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is OVH a safe vps provider to run an exit relay on?

[gus]

Hi,

From the Community portal, Tor relay technical considerations:

## AS/location diversity

It is best to avoid hosts where many Tor relays are already hosted, but
it is still better to add one there than to run no relay at all.

Try to avoid the following hosters:

OVH SAS (AS16276)
Online S.a.s. (AS12876)
Hetzner Online GmbH (AS24940)
DigitalOcean, LLC (AS14061)


To find out which host and countries are already used by many other
operators (that should be avoided) you can use Relay Search:

https://metrics.torproject.org/rs.html#aggregate/as

https://metrics.torproject.org/rs.html#aggregate/cc

Source: 
https://community.torproject.org/relay/technical-considerations/

cheers,
Gus


On Thu, Apr 01, 2021 at 09:03:24AM -0700, Eddie wrote:
> William,
> 
> At (about) what number of relays per provider should we be considering
> looking elsewhere.
> 
> Cheers.
> 
> 
> 
> On 4/1/2021 12:53 AM, William Kane wrote:
> > Hi,
> > 
> > no, OVH is the second most commonly used hosting provider, another
> > relay hosted there would hurt the network more than it would help:
> > 
> > https://metrics.torproject.org/bubbles.html#as
> > 
> > We need to make the network as diverse as possible, in order to make
> > it as hard as possible for law enforcement and other bad actors to
> > de-anonymize tor circuits.
> > 
> > --Very large snip snip--
> > 
> > Look for a host, get it's AS ID, then input it here:
> > https://metrics.torproject.org/rs.html#search/as:
> > 
> > Example:
> > 
> > https://metrics.torproject.org/rs.html#search/as:AS197019
> > 
> > If this was a bit too much, I apologize - I will gladly answer any
> > questions you have.
> > 
> > - William
> > 
> > On 30/03/2021, Keifer Bly  wrote:
> > > Hi,
> > > 
> > > 
> > > 
> > > I am wondering if OVH is a safe VPS provider to run an exit relay on? 
> > > Thank
> > > you.
> > > 
> > > 
> > > 
> > > --Keifer
> > > 
> > > 
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > 
> > 
> > --
> > This e-mail was checked for spam by the freeware edition of CleanMail.
> > The freeware edition is restricted to personal and non-commercial use.
> > You can remove this notice by purchasing a commercial license:
> > http://antispam.byteplant.com/products/cleanmail/index.html
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
The Tor Project
Community Team Lead
http://expyuzz4wqqyqhjn.onion/


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridge static or dynamic ip and multiple bridge config

[s7r]

OVolker Mink wrote:

Bridge does not require static ip. You can run one at home.
More than one —> use different ports


Am 31.03.2021 um 22:14 schrieb gi vi an :

does bridge require static or dynamic ip?

if more than one bridge can be configured per one isp connection, how do i 
configure?



It's *best* to have a static IP for bridges as well as relays of course. 
even more important for a bridge is to have a static IP address because 
it gets into clients torrc file and remains there, to be used as an 
entry point in the Tor network - if something changes (like the IP 
address), it requires manual action from that client. At least for 
relays the changed IP address is fetched from the consensus and does not 
require manual effort from the clients.


Anyway, even if you have a dynamic address you can still run a bridge 
but it shouldn't change too often. If it changes every day, I don't 
think it will make an useful bridge.


Better run a relay. or get a static IP address for a bridge.



OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DirPortFrontPage file '.....' not found | Permission denied

[Petrusko]

Thx all !
It's working like a charm !

After setting up this page, I saw I had to code everything "inline"...
images, CSS, all...
But it's ok, cool :)

Thx

30/03/2021 à 18:03, Olaf Grimm :
> Place the DirPortFrontPage in the same folder like torrc, not /var/...




OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is OVH a safe vps provider to run an exit relay on?

[Keifer Bly]

Would running a bridge on ovh  be ok? Thanks.
--Keifer


On Thu, Apr 1, 2021 at 1:29 AM William Kane  wrote:

> Hi,
>
> no, OVH is the second most commonly used hosting provider, another
> relay hosted there would hurt the network more than it would help:
>
> https://metrics.torproject.org/bubbles.html#as
>
> We need to make the network as diverse as possible, in order to make
> it as hard as possible for law enforcement and other bad actors to
> de-anonymize tor circuits.
>
> If you really want to help us out, here's what I advise you to do:
>
> - Rent a dedicated machine, with a new-ish CPU (supporting VT-x and
> AES-NI, and good single thread performance since tor is mostly
> single-threaded).
> - Get your own subnet, it doesn't have to be huge, but make sure you
> are allowed to change the abuse-mailbox field to an e-mail you own, so
> your host doesn't get flooded with automated and mostly useless abuse
> reports and terminates your service in response.
> - Make use of QEMU/KVM and create one virtualized instance for each
> set of two relays (maximum amount of relays sharing the same public
> address is 2).
> - Make use of the CPU-pinning feature offered by libvirt, and the
> isolcpus kernel argument to isolate all but two cores from the
> kernel's scheduler, and pin two cores to each VM.
> - Disable all CPU mitigations (mitigations=off on the kernel command
> line) to increase performance, since you are only installing signed
> packages anyway, there is no untrusted code running on the system,
> which means there is no need for any mitigations to be active.
> - Make sure you have an unmetered traffic plan and at the very least
> 1, but best case 2 1Gbit/s uplinks.
>
> With a somewhat modern CPU supporting hardware AES acceleration, this
> should get you 150 to 200 Mbps per tor instance, at least that's my
> experience when I ran the setup described above around 4 years ago.
>
> On a last note, whatever you decide to do, please don't settle for
> some overused host just because it's easier or cheaper - you might as
> well not host a relay at all, then.
>
> Look for a host, get it's AS ID, then input it here:
> https://metrics.torproject.org/rs.html#search/as:
>
> Example:
>
> https://metrics.torproject.org/rs.html#search/as:AS197019
>
> If this was a bit too much, I apologize - I will gladly answer any
> questions you have.
>
> - William
>
> On 30/03/2021, Keifer Bly  wrote:
> > Hi,
> >
> >
> >
> > I am wondering if OVH is a safe VPS provider to run an exit relay on?
> Thank
> > you.
> >
> >
> >
> > --Keifer
> >
> >
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Many SSH requests

[The Doctor [412/724/301/703/415/510]]

‐‐‐ Original Message ‐‐‐
On Wednesday, March 31, 2021 9:35 AM, Cristiano Kubiaki Gomes 
 wrote:

> O noticed many ssh requests to my Debian VM running a Relay and I am 
> wondering if this is normal or if this is happening only with me.
> Anyone else see this ssh attemptives? Is it normal?

Yup, it's background radiation on the Internet. We all get them.

If SSH key authentication only isn't enabled, turn it on. Change the port sshd 
is listening on.
Set up fail2ban to further protect the new port (I get a lot of portscans 
hammering my nodes
looking for the new sshd port followed by brute force attempts, so may as well 
cut 'em off
at the knees).

Or set up a hidden service for sshd on the box and reconfigure it to listen on 
the loopback only.
You'll only be able to SSH in over the Tor network after that, but it'll cut 
the login attempts way
down.

The Doctor [412/724/301/703/415/510]
WWW: https://drwho.virtadpt.net/
The old world is dying, and the new world struggles to be born. Now is the time 
of monsters.___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Is OVH a safe vps provider to run an exit relay on?

[Eddie]

William,

At (about) what number of relays per provider should we be considering 
looking elsewhere.


Cheers.



On 4/1/2021 12:53 AM, William Kane wrote:

Hi,

no, OVH is the second most commonly used hosting provider, another
relay hosted there would hurt the network more than it would help:

https://metrics.torproject.org/bubbles.html#as

We need to make the network as diverse as possible, in order to make
it as hard as possible for law enforcement and other bad actors to
de-anonymize tor circuits.

--Very large snip snip--

Look for a host, get it's AS ID, then input it here:
https://metrics.torproject.org/rs.html#search/as:

Example:

https://metrics.torproject.org/rs.html#search/as:AS197019

If this was a bit too much, I apologize - I will gladly answer any
questions you have.

- William

On 30/03/2021, Keifer Bly  wrote:

Hi,



I am wondering if OVH is a safe VPS provider to run an exit relay on? Thank
you.



--Keifer



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


--
This e-mail was checked for spam by the freeware edition of CleanMail.
The freeware edition is restricted to personal and non-commercial use.
You can remove this notice by purchasing a commercial license:
http://antispam.byteplant.com/products/cleanmail/index.html


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridge static or dynamic ip and multiple bridge config

[gi vi an]

On 2021-04-01 17:17, li...@for-privacy.net wrote:

On 31.03.2021 18:09, gi vi an wrote:

does bridge require static or dynamic ip?


If it only changes every few weeks, you can work with DynDNS.

If you are only online for a few hours or your dyn IP keeps changing,
check out Tor snowflake.
https://support.torproject.org/censorship/what-is-snowflake/
https://snowflake.torproject.org/


if more than one bridge can be configured per one isp connection, how
do i configure?


Setup 2 Tor instances.
On Debian systems see tor-instances. Only 2 instances are allowed per
IPv4 or IPv6/64 subnet.

How expensive is a static IP at your ISP (+24h electricity)? Maybe a
KVM costs the same.
A $ 3.50 per month KVM is enough for a bridge.


i am from india.
few of my collegeaus are paying 1000 rupees (almost 15 dollars).
i almost finalised small server(512 gb ram).
probably i should look for vms.



https://buyvm.net/kvm-dedicated-server-slices/
For Tor exit please read acceptable-use-policy.


--
who am i ? https://mstdn.social/@gvian

donate or patron:
[+]₿ bitcoin (BTC): 3K7Ba2DFyyuGTukNqXEmogG4VgYp2RWnZV
[×]gridcoin (GRC): SK7A2yq4rsoDSKc592dxSb3JSYeSSopbNB
[÷]Ᵽ peercoin (PPC): PENnyj6dvEqaAKtqh9tV9KzRKc4N5EWfeH
[=]pivx (PIVX): DNyihy8xWXkGyaLnipzWUrC3kjrbcvahHJ
[<]blackcoin (BC): B4pCYCRhS6itEs2rsSAVbRnoKkL6thj3Bt
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays