Re: [tor-relays] Any security tips on running a TOR relay?

Subject: Re: [tor-relays] Any security tips on running a TOR relay?

From: Green Dream <greendream848@xxxxxxxxx>

Date: Thu, 4 Aug 2016 18:45:44 -0700

Delivery-date: Thu, 04 Aug 2016 21:46:05 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=NuAMxprOWRP4VrVq5odvKMwNJx6FWw7AgrJnUOenYjo=; b=VYB9KqBvhFM+/LQe0+s7Ep3OThczmEOdq0R+TPlleD/3wsxfZIrweBjSnL1Atvo+ov V3UUFIc0IGRocIkyjexku72le2N9UANLGo8z9vFR4EfDsSrPb33hCh81g55PaVtp4n11 lHnGfE+3CjaLmwfi7pXYw+llGFobM7XlUBExzkKEmDdeieEb1b2VbBQNXyj72FiOdaKn fc25MyxHyAMjDuyV5yIs3OwjCvkfPEqwHGpaWu4Md/rKaKH8Rwq1P2z2fty173rzvAZk MPaEmJkiB8mkTojE78mCSWaaTix/IfUhRQulia/Bz7bQeJ+5WpysKPXJOcK5OTWPxfFX ngVA==

In-reply-to: <CAKkV4FFuju5PMy1ac83wSCMZcKPL3r+gViJJWV1WOM=Ms29-Og@mail.gmail.com>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <021f01d1ee15$831ee920$895cbb60$@ab49k.net> <CAAd2PDL88Yujm-wuw04nbN+WgTydWLXLMr_rUR--h_TikhyoPA@mail.gmail.com> <CAKkV4FHeSxNABpeR_baHFcpWtEFn0TkoVbm-xjPqb+vPnWT+qg@mail.gmail.com> <CAAd2PD+tFsDZ4Euw-YXXLjs_orGsK9p8ijmiPUz+b8EMXKdstw@mail.gmail.com> <CAKkV4FG_bFCed5ZadCiR32cCKUy_Z158SSm+Bo6aOEvRhcmEDA@mail.gmail.com> <CAAd2PD+7SE=kDsHLXdHv5AjmRk9Y2NQA4br9=1xXNKUPuVGKrg@mail.gmail.com> <CAKkV4FFuju5PMy1ac83wSCMZcKPL3r+gViJJWV1WOM=Ms29-Og@mail.gmail.com>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hey Tristan,

> Any ideas what in-addr.arp is

Yes, this is the standard format for reverse DNS lookups for IPv4 addresses.

I'm not sure what command(s) you were using, but in-addr.arpa is an expected result (or intermediate step) of doing something like "host 8.8.4.4" on Linux. The IP octets are reversed and appended to the domain suffix in-addr.arpa (ex: 4.4.8.8.in-addr.arpa for 8.8.4.4) to create a hostname. Then to continue the same example, the host tool finds a PTR record for that hostname (ex: google-public-dns-b.google.com). You can read more about this here:

https://en.wikipedia.org/wiki/Reverse_DNS_lookup
https://tools.ietf.org/html/rfc2317

So... those in-addr.arpa references don't really tell you anything. It's just a distraction. My hunch is that the IP addresses in your log are going to be a random selection of IPv4 addresses from Tor clients and relays.

> why the firewall would block it even on allowed ports?

I was trying to explain earlier but did a poor job. I don't have a specific explanation for Tor, but it's common to see the same behavior with denied packets to port 80 and 443 on a web server, even when there is a UFW (iptables) allow rule. It has to do with the state of the connection. There's an explanation for web servers and port 80 blocks here:

https://ubuntuforums.org/showthread.php?t=2138691 (see the 2nd post)

I am making an assumption that we're seeing the same behavior on the Tor ports. It would be good if someone with a better understanding of the protocols could confirm or deny the theory. I'm not 100% certain.

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays