[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security concerns with running an exit relay



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/6/2014 2:57 AM, ondesmartenot@xxxxxxxxxx wrote:
> Hello,
> 
> I am interested in running a Tor exit relay, and I have
> successfully set one up in the past, but I took it down because I
> realized that I do not have any clue how to protect myself if
> someone who sees lots of Tor traffic exiting from my IP address
> decides to attack my router or computer.
> 
> Can you point me to any documentation relating to maintaining your
> relay's security? I know that computer security is a large and
> complex problem, but just some basic information on likely threats
> and tips to protect against them would be much appreciated.
> 
> Thanks so much for making the internet awesome, Ondes
> 
> 
Hi,

Well there is nothing magic about it. Just run it as you would any
server, keep it maintained and up to date and of course don't easily
allow remote access to it so somebody can fish it at first mass scan.
Install the latest stable version including its dependencies and make
sure you run up to date versions for all you have installed on the server.

Make sure you use NTP to sync the time and have accurate time on your
server - Tor needs the right time, especially if you are a relay. A
good practice is to run ORPort on 443 and DirPort 80 for easy
connectivity, and include a DirPortFrontPage argument to point to a
html file which explains what Tor is and that the said IP is a Tor
exit router. You can find an example for this page if you google "this
is a tor exit router" and modify the content slightly according to
your needs.

If you are an exit relay it is recommended you run your own recursive
DNS resolver on localhost too (BIND). Use a DirPortFrontPage argument
in torrc

I suggest you don't run the relay on your computer. Find a reasonable
ISP and rent a server / virtual server, run it from there. If you
google "how to install tor <insert your operating system here>" you
will find plenty tutorials. Just edit the torrc file to act as a
relay. Provide a good contact email address, so people can contact you
and enter your exit policy. I would recommend you to block just port
25 SMTP, to prevent spam. But if you host you relay in a
torrent-unfriendly place, block higher ports also for p2p. But, p2p by
definition cannot be really permanently blocked (via destination:port)
no matter what.

If you find trouble in doing it or if you have any other questions
mail me.

- -- 
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
PGP Pubkey: http://www.sky-ip.org/s7r@xxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJTkQu1AAoJEIN/pSyBJlsR2D4IAMG2kJIufiqmrfz8uCtHlEyV
PdmF26JEVn6JoR15lCxk60kvO30NQjlckcP/CACrj3MAvzO6Hsh+GVg30+pFxF5A
YARyQpwkho6fb95vsCQCkCKsC8Dm9WFuq8IUyRbi3vE4lV4LcCy79oSchmEmQVNM
4Fdn7RUKoy+UdsaiZMe+OBS/JN6GwiMGF6FF7M+YNTjOsPhydFX8KZ+b1VYvXXsd
B4f7snoasHJMk+Jn1RXC3LHJTi4hRkasXQjF2EiMDTHklFtoQ3OVQoZ51NPvsSuB
3x2HAsh/cIKjXbvjAY6INKJQv0NZ4dpkMHusR3j1B/5HVGmaU2jfNNg8P2GupnE=
=xPWf
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk