[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Unable to login to relay server when Tor is running
this sounds like either running out of filedescriptors or some shitty
iptables anti-ddos script
each tcp stream = 1 filedescriptor = a few kb of ram (never mind that,
it's 2010 ;)
to check/change:
systemwide maximum:
a84-22-97-10:~# cat /proc/sys/fs/file-max
204135
file descriptors in use:
a84-22-97-10:~# cat /proc/sys/fs/file-nr
11840 0 204135
per process and its childs (integrate it into /bin/login or
something):
bash command: ulimit
tcsh command: limit
c-command: getrlimit() setrlimit() etc. (for direct integration into the
/bin/login code and/or crontab on shell servers etc or into the wrapper
that starts your tor daemon in your case ;)
a84-22-97-10:~# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
max nice (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) unlimited
max rt priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
in all cases, when exceeding either the system or per process-tree
rlimits, there will be something displayed like fork() resource
unavailable,
(ofcourse you already need access at that point so you'd better have a
local console/serial console already logged in at all times as otherwise
it can't exec bash while logging in either ;)
could also be some shitty iptables counter based "ddos filter" which you
may use (god knows why people use those, cause more trouble than their
good for, just integrate attack filtering into your server software code
and make sure "fake" connections take up as less resources as possible for
as short time as possible, by running proxies in front of the real
webserver for example that do the connection-per-ip-per-time counting and
only take a few kb)
these so-called "ddos protection" scripts using iptables actually cause
simular problems to what you describe above, not just for tor, for any
service thats "used a lot", so just don't use them, they're crap ;).
ports that aren't open don't need "protection" in the first place, and you
can always just DROP anything you don't want, much easier and less chance
of it fucking up lets say ssh access.
On Tue, 12 Jan 2010, Markus Petersen wrote:
Dear fellow Tor users,
I have a problem that I hope someone is able to help me solving. I want
to run a Tor relay (non-exit for the time being) on my VPS. The VPS has
got 1GiB of memory, plenty of bandwidth, and I've got about 5TiB of
traffic to spare each month, which I'd like to give to the Tor network.
The problem is, when the relay has been running for some time (I haven't
measured when exactly), I am unable to connect to my server. Neither ssh
nor imap-logins work anymore. I tried rate-limiting the relay to
5000kBps and then 1000kBps, with the same results. The only thing that
solves it is when I restart the server and disable Tor again.
In short: what do I do now? Has anyone got any clue as to what the
problem might be? I have a wild guess of the server not being able to
have that many TCP connections, but how do I check something like that?
Thank you!
Regards,
Markus