[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security concerns with running an exit relay

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Security concerns with running an exit relay
From: I <beatthebastards@xxxxxxxxx>
Date: Thu, 5 Jun 2014 17:58:46 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 05 Jun 2014 22:13:37 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; d=inbox.com; s=s1; h=mime-version:date:message-id:subject:from:to:content-type; bh=/jwdTpTlABIcdzbnHNLf532kdhyZ1k2EmlFkmHZifu0=; b=LeBO2rO5cAqYPiAzE5TyBT7e7fhh+ti+f/TqLJcqEUvn55owOE/XNKpDWpNHR9pYuoTh T5nF3TPlduWJXKKGKeyIAaFdFcx84bRSxjoVrMjAoORNszLthWmCzabifKq5s5LsIim64O tqvNof8RH0Tmfn2+8YK4m7oLh9Gp20yc8=
Domainkey-signature: q=dns; a=rsa-sha1; c=nofws; d=inbox.com; s=s1; h=mime-version:date:message-id:from:subject:to:content-type; b=RPe8xeJnfz+PhhrZzHtkKko4rIHaSJRpii78U781TCcgLW2JGavIPhRFkw51eJw04fE+ 5TvRvyPIOpPpfFvMFeexPJsQ3feTA8kbRPwWMFN3HpHIJbhucaWVFDBpDBJO8fhK4ByuY2 X28/mpe2g/djh6Qi3oh7mHGMkFS9frtNU=
In-reply-to: <53910BB5.3090708@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <ff3e43bd5fc83768249ff735637fe35d.squirrel@xxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

S7R,

That is a start.
But where is the full and exemplary answer for someone like me who really wants to get it right but doesn't know how to set the DirFrontPage up or the NTP syncing?

Roger says to try the tor-relay list but that has almost no chance of satisfying the need. Responses to my questions have been condescending and smartarse or illinformed from people speaking beyond their ability which is worse.

There ought to be a detailed guide for Tor being set-up on hired servers well intending people answering the call for more Tor nodes and specifically exits.
The EFF Challenge does the encouraging but points to the Tor site for what, I find, is inadequate help.

The presumption must be that the person does not know Linux well nor network security.

Robert


> -----Original Message-----
> From: s7r@xxxxxxxxxx
> Sent: Fri, 06 Jun 2014 03:30:45 +0300
> To: tor-talk@xxxxxxxxxxxxxxxxxxxx
> Subject: Re: [tor-talk] Security concerns with running an exit relay
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 6/6/2014 2:57 AM, ondesmartenot@xxxxxxxxxx wrote:
>> Hello,
>> 
>> I am interested in running a Tor exit relay, and I have
>> successfully set one up in the past, but I took it down because I
>> realized that I do not have any clue how to protect myself if
>> someone who sees lots of Tor traffic exiting from my IP address
>> decides to attack my router or computer.
>> 
>> Can you point me to any documentation relating to maintaining your
>> relay's security? I know that computer security is a large and
>> complex problem, but just some basic information on likely threats
>> and tips to protect against them would be much appreciated.
>> 
>> Thanks so much for making the internet awesome, Ondes
>> 
>> 
> Hi,
> 
> Well there is nothing magic about it. Just run it as you would any
> server, keep it maintained and up to date and of course don't easily
> allow remote access to it so somebody can fish it at first mass scan.
> Install the latest stable version including its dependencies and make
> sure you run up to date versions for all you have installed on the
> server.
> 
> Make sure you use NTP to sync the time and have accurate time on your
> server - Tor needs the right time, especially if you are a relay. A
> good practice is to run ORPort on 443 and DirPort 80 for easy
> connectivity, and include a DirPortFrontPage argument to point to a
> html file which explains what Tor is and that the said IP is a Tor
> exit router. You can find an example for this page if you google "this
> is a tor exit router" and modify the content slightly according to
> your needs.
> 
> If you are an exit relay it is recommended you run your own recursive
> DNS resolver on localhost too (BIND). Use a DirPortFrontPage argument
> in torrc
> 
> I suggest you don't run the relay on your computer. Find a reasonable
> ISP and rent a server / virtual server, run it from there. If you
> google "how to install tor <insert your operating system here>" you
> will find plenty tutorials. Just edit the torrc file to act as a
> relay. Provide a good contact email address, so people can contact you
> and enter your exit policy. I would recommend you to block just port
> 25 SMTP, to prevent spam. But if you host you relay in a
> torrent-unfriendly place, block higher ports also for p2p. But, p2p by
> definition cannot be really permanently blocked (via destination:port)
> no matter what.
> 
> If you find trouble in doing it or if you have any other questions
> mail me.
> 
> - --
> s7r
> PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
> PGP Pubkey: http://www.sky-ip.org/s7r@xxxxxxxxxxxxxx
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> 
> iQEcBAEBAgAGBQJTkQu1AAoJEIN/pSyBJlsR2D4IAMG2kJIufiqmrfz8uCtHlEyV
> PdmF26JEVn6JoR15lCxk60kvO30NQjlckcP/CACrj3MAvzO6Hsh+GVg30+pFxF5A
> YARyQpwkho6fb95vsCQCkCKsC8Dm9WFuq8IUyRbi3vE4lV4LcCy79oSchmEmQVNM
> 4Fdn7RUKoy+UdsaiZMe+OBS/JN6GwiMGF6FF7M+YNTjOsPhydFX8KZ+b1VYvXXsd
> B4f7snoasHJMk+Jn1RXC3LHJTi4hRkasXQjF2EiMDTHklFtoQ3OVQoZ51NPvsSuB
> 3x2HAsh/cIKjXbvjAY6INKJQv0NZ4dpkMHusR3j1B/5HVGmaU2jfNNg8P2GupnE=
> =xPWf
> -----END PGP SIGNATURE-----
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Security concerns with running an exit relay
  - From: grarpamp
- Re: [tor-talk] Security concerns with running an exit relay
  - From: Matthew Finkel

References:
- [tor-talk] Security concerns with running an exit relay
  - From: ondesmartenot
- Re: [tor-talk] Security concerns with running an exit relay
  - From: s7r

Prev by Author: [tor-talk] Tor trademark policy for local user communities
Next by Author: Re: [tor-talk] hide from cell carrier
Previous by thread: Re: [tor-talk] Security concerns with running an exit relay
Next by thread: Re: [tor-talk] Security concerns with running an exit relay
Index(es):
- Author
- Thread