[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] About running an Exit node



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 5/7/2014 12:56 PM, Pika ohc wrote:
> Hi there,
> 
> I was considering to run an Exit node with my own pc, however, i
> have some questions about exit node.
> 

It's very nice you want to contribute to the Tor network by running a
relay. If you can spare the budget, it's always better to run a Tor
exit relay at a datacenter, on a dedicated or virtual server, and that
machine to have only on scope: Tor relay. If you go on this way make
sure you specify to the provider that it will be a Tor relay and it
will consume bandwidth more than usual.

> 1. How can I know if there is a client specifying me as an exit
> node and the traffic is sent from the client to me directly(where
> my exit node is the first node and also the last node for the
> client.)?
> 

That is not allowed by default in Tor. You don't need to do anything
to protect against  this since it won't happen. An user can trick your
exit node into thinking that "he" is a Tor relay too, but this will
not affect you in any way and it will just have terrible anonymity
impact over the so-called "attacker". This would not be something sane
to do, I mean nobody would benefit anything out of doing this, it will
just decrease their level of anonymity. This affects everyone so it's
no cause for worrying.

> 2. If i found some clients trying to do something bad by using the 
> method mentiond in 1., how can I stop him? Is iptables or anything
> else can help me to block such clients?
> 

This is irrelevant. You should not do anything and you should not even
monitor what the users are doing via your exit relay. Restrict what
you do not want to allow by using reject argument in torrc. For
example, block port 25 to prevent spam (SMTP) - this is where most
abuse comes from. And if you are in a country concerned about p2p
filesharing, reject high ports too commonly known to be used by
bittorrent. You can find on torproject.org reduced exit policy
example. Other than port 25 it's not anything else important what
somebody could do to cause harm to you relay, in the real sense of the
world. If you consider scanning or bruteforcing SSH or other services
relevant, you should not :)

If you are an exit relay, include a valid contact email address in
torrc. Run a page on port 80 of the relay's IP (DirPortFrontPage if
you use DirPort on port 80) and explain that this is a Tor exit relay,
explain in few words what Tor is and provide a valid contact email
address so concerned people can at least send you an email. You can
find this page sample just by searching on google "this is a tor exit
router".

> Hope there's someone can answer me. Thank you!
> 
> 
> _______________________________________________ tor-relays mailing
> list tor-relays@xxxxxxxxxxxxxxxxxxxx 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBCAAGBQJTan5uAAoJEIN/pSyBJlsRM2sH/A+iUfN+HXm6nKjHec/nTNUx
6XMinfyWnAWuaP+9I25Y5+shu8fxQjbncYyrJVfwTOj4aRTFwa/ADeE4ERT6v+MP
kNm1h3uITst5l2zk2m4cRRkmQtOutp0S1nTJ2zS3SoTGfbzv7bkbJl3QgQyzmJ70
VcEO4AIbme4++4ske8WNh1d+2qVW3qiFWqaMoHMtiEw57O447+9FgPRHvklZ2Tn/
KzAsC01WNFQ5+rl8i8qblmuRovlSorZB22qLhR6/Qzs7aLGD5Ojp1363clXY8DfZ
qIkDY89k5LUnT1vMZIBmCbb9YuvkbkD0nSM0VbL18sgkACnLJGv9W72QFqT1Cac=
=Rg7k
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays