Hi,
I am trying to run a few Exit relays on my 1 gbps connection. To keep
donating the exit capacity to the Tor project I have to keep abuse
reports to a minimum.
In order to have the Exit flag I have read that I have to keep two of
ports 80, 443 and 6667 open, plus allow exiting to at least one
> Port numbers and TLS ore orthogonal: port 443 can be used for cleartext,
> and port 80 for encrypted traffic. In the case of IRC, it's quite common
> for 6667 to be used with TLS.
When a relay operator uses exit policies, I believe they express an
intent to block certain types of applications, a
Check this list and choose the ones with the lowest ping from your node:
https://www.lifewire.com/free-and-public-dns-servers-2626062
Make sure to avoid DNS servers marketed as "secure" (for example, do
NOT use "Comodo Secure DNS") since they perform arbitrary
censorship/redirection. Also, do not
The DNS issue is in the "long tail" - rare/unique websites are unlikely to be
cached, yet they likely represent the most interesting targets.
I do agree that running dnsmasq (or a similar caching resolver) is probably
sufficient to make DNS attacks too unreliable to invest in. I am not sure why
Hi,
I have configured a Tor bridge to go through a particular Tor guard
relay (that I also own), as an experiment.
Upon initialization I am getting this warning:
"Your guard [fingerprint] is failing an extremely large amount of
circuits. This could indicate a route manipulation attack, extreme
ne
I wonder if these are all half-measures, and Tor needs a first-class solution
to the DNS weakness.
Every Tor relay can have a simple resolver built-in, and/or perhaps all Tor
relays could be running a DHT-style global DNS cache.
In case of a cache miss, the exit relay could build a circuit to an
If it's important enough to do on a single relay, it's important
enough to do it across the entire network. I bet there are, and will
always be, plenty of exit node operators not reading this email list,
or not planning to do anything, or not configuring everything
properly, etc.
On Tue, Sep 12, 2
I have setup a (private, key-based) Tor hidden service for SSH administration.
It works well and leaves no extra open ports to attack.
If you also take advantage of package updates over Tor (via the local SOCKS5
proxy that any Tor instance provides) the only non-OR incoming traffic you need
to
: [tor-relays] SSH brute force attempts to connect to my Middle
Relay IP address
> On 4 Oct 2017, at 02:26, Igor Mitrofanov
wrote:
>
> I have setup a (private, key-based) Tor hidden service for SSH
administration. It works well and leaves no extra open ports to attack.
>
> If you also
//wiki.debian.org/HowTo/dnsmasq#Local_Caching ).
3) Make sure that the file /etc/dnsmasq.conf contains the line
"listen-address=127.0.0.1" (to restrict dnsmasq to the local system).
4) Set the cache size to 1 by adding or editing this line
"cache-size=1" i
Unless configured otherwise, Dnsmasq chooses a server from the list
randomly, so the more servers the operator specifies in dnsmasq.conf,
the less traffic each server gets. This increases the diversity of DNS
requests, complicating traffic analysis for any adversary that
controls some, but not all,
Toralf, thanks for the data. Has that 10% stabilized, or is it still
growing for your node?
On Sun, Oct 8, 2017 at 9:54 AM, Toralf Förster wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 10/08/2017 06:34 PM, Igor Mitrofanov wrote:
>> With a large-enough ca
My hosting provider runs no DNS servers and recommends using 8.8.x.x,
so I have to pick something.
On Sun, Oct 8, 2017 at 10:22 AM, Ralph Seichter wrote:
> On 08.10.17 18:34, Igor Mitrofanov wrote:
>
>> Unless configured otherwise, Dnsmasq chooses a server from the list
>> ran
r ISP can still observe your entire DNS activity. This is very
similar to running dnsmasq configured to work the DNS server hosted by
the ISP (which then performs the recursive functions) - except in my
case there isn't one.
On Sun, Oct 8, 2017 at 10:59 AM, Ralph Seichter wrote:
> On 08.10.17
relays sending DNS requests to a
large and diverse number of destinations can make practical
DNS-assisted traffic correlation prohibitively expensive.
On Sun, Oct 8, 2017 at 12:03 PM, Ralph Seichter wrote:
> On 08.10.17 20:48, Igor Mitrofanov wrote:
>
>> Unbound's upstream requests c
>> # Only listen on loopback
>>
>> interface=lo
>> bind-interfaces
>
> What is your opinion about the config line "listen-address=127.0.0.1" advised
> in https://wiki.debian.org/HowTo/dnsmasq#Local_Caching ?
It should have a similar effect, except that 127.0.0.1 is IPv4 only,
while "interface=lo"
Hi,
It looks like 94.7% of all Running relays have the "Fast" flag now. If
that percentage becomes 100%, the flag will become meaningless.
What were the reasons behind the current definition of "Fast", and are
those still valid? If not, should "Fast" become self-adjusting
("faster than 2 Mbps or 7
r
wants to provide).
On Sun, Oct 29, 2017 at 5:47 PM, Roger Dingledine wrote:
> On Sun, Oct 29, 2017 at 04:21:10PM -0700, Igor Mitrofanov wrote:
>> It looks like 94.7% of all Running relays have the "Fast" flag now. If
>> that percentage becomes 100%, the flag will become me
Atlas definitely looked lighter, more airy. The new UI looks dense and
dated, with that Microsoft Office style table from the 90s. Oh well,
I'll get used to it - at least it is not yet another "Web 2.0"
Bootstrap. The idea of merging Atlas into Metrics is definitely a good
one.
On Tue, Nov 14, 201
Do not enable net.ipv4.tcp_tw_recycle:
https://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux#netipv4tcp_tw_recycle
For ip_local_port_range, make one number even and the other one odd
(i.e. 1024 and 65535). Not sure if this is still required, but won't
hurt to include port 1024.
Conside
After reading every paper and post on sysctl.conf and iptables tuning
I could find, and reading some kernel code, I have come to a
conclusion that, while there are a few settings to tune (can share
mine, but your mileage *will* vary), most of the defaults are actually
not broken in the latest kerne
Sorry for the spam. One more link to a tuning guide that I have found useful:
https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
On Sat, Nov 25, 2017 at 10:04 PM, Igor Mitrofanov
wrote:
> After reading every paper and post on sysctl.conf
On Tue, Dec 12, 2017 at 1:17 PM, tor wrote:
>>I am getting this too, I saw this the logs a few months ago and didn't think
>>anything of it.
>
>
> I wouldn't worry about it. Faravahar has a long history of misbehavior:
>
> https://lists.torproject.org/pipermail/tor-relays/2015-November/008097.html
Hi,
Is MaxMemInQueues parameter per-host (global) or per-instance?
Say, there are 10 relays on the same 24 GB host. Should I set
MaxMemInQueues to 20 GB, or 2 GB in each torrc?
Thanks,
Igor
___
tor-relays mailing list
tor-relays@lists.torproject.org
htt
to set
MaxMemInQueues without making it too conservative.
On Fri, Dec 22, 2017 at 11:46 AM, r1610091651 wrote:
> It would expect it to be per instance. Instances are independent of each
> other. Further one can only run 2 instances max / ip.
>
> On Fri, 22 Dec 2017 at 20:40 Igor Mitrofanov
It is safe to assume that both relays and select hidden services are
being scanned 24/7. When your host reboots (say, as a result of an
automatic OS update), both your relay and your hidden service become
unavailable at the same time, instantly revealing the IP of the hidden
service.
On Thu, Jan 4
Is there a way to inherit a portion of torrc (to avoid copying the
same MyFamily line into every torrc)?
On Thu, Jan 4, 2018 at 11:12 AM, John Ricketts wrote:
> Agreed. All of my 50 relays list all relays including itself.
___
tor-relays mailing list
t
I'd like to call out the apparent hidden service performance slowdown:
https://metrics.torproject.org/torperf.html?start=2017-04-23&end=2018-01-21&source=all&server=onion&filesize=50kb
I hope the dev team is looking into it.
Thanks,
Igor
___
tor-relays
Hi,
I use tor-instance-create to spawn a number of relay instances.
However, there seems to be one extra instance running - the default
one that reads /etc/tor/torrc (and not
/etc/tor/instances/INSTANCE/torrc).
How do I disable that default tor relay? It opens port 9050 and does
who else knows wh
Alison, can you please share a link to the results of 'user testing as
well as research on
usability, accessibility, and localization'? I most definitely welcome
the idea of making Tor look modern (and would like to help if I can)
but it would be good to see what standards the development team is
f
Matt, if you only have 1 host, it may be more beneficial to create 2
relays on it (or more than 2 - if you have more than 1 IPv4 address
available) using tor-instance-create. You could be hitting the limits
of what a single CPU core can do.
On Sun, May 26, 2019 at 4:07 PM Keifer Bly wrote:
>
> He
Is there anything Tor can do inside the Tor browser itself?
I would understand and support something as drastic as disabling non-HTTPS,
non-Onion connections altogether. When the user types a URL with no
protocol prefix, the browser will assume HTTPS.
This may break some websites, so a transition m
I denounce the Tor Project's political activism under the new
administration and this attempt to fuel the cancel culture.
I am signing the supporting letter for Richard Stallman and pausing my
relays. I realize that this is largely symbolic, but so is running Tor
relays in the first place. I am not
33 matches
Mail list logo
