<br><br><div class="gmail_quote">On Tue, Nov 24, 2009 at 2:39 PM, Scott Bennett <span dir="ltr"><<a href="mailto:bennett@cs.niu.edu">bennett@cs.niu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Tue, 24 Nov 2009 11:40:00 -0500 Mike L <<a href="mailto:jackoroses@gmail.com">jackoroses@gmail.com</a>><br>
wrote:<br>
>I just recently started running an exit node (newbie) on a vps and have a<br>
>few questions that I didn't seem to find googling.<br>
><br>
>I am running tor-devel-0.2.2.5.alpha with<br>
>openssh-portable-overwrite-base-5.2.p1_2,1 and privoxy 3.0.12 (plus fail2ba=<br>
<br>
Is openssh-portable-overwrite-base-5.2.p1_2,1 relevant in some way here?<br>
tor now uses openssl-0.9.8l, but I don't know of any reason for it to use any<br>
version of openssh.<br><br></blockquote><div>It isn't, I usually use ssh2 myself and never used openssh/ssl before.<br>I assumed the port I listed also overwrote the base install of openssl which was why<br>I included it. I see now that it actually doesn't so shame on me for assuming.<br>
Reason I assumed was when doing a ssh -v the output is<br>OpenSSH_5.2p1 FreeBSD-openssh-portable-overwrite-base-5.2.p1_2,1, OpenSSL 0.9.8e 23 Feb 2007 which made me believe that ssl was part of the package..<br><br> </div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>n<br>
>python25) on freebsd 7.2 amd64 on a quad core 2.4 ghz c2d VPS<br>
><br>
>The one issue that I'm a little perplexed on and I'm not really sure what i=<br>
>t<br>
>can be is my load averages. Nothing is running on the machine except what i=<br>
>s<br>
>required to run Tor.<br>
>sendmail and bsnmpd does run but those processes couldn't account for the<br>
>loads..<br>
>An example is 1 user, load averages: 1.32, 0.81, 0.79<br>
>The nic on the machine is re0 and I have enabled device polling in the<br>
>kernel.<br>
>The machine is pushing anywhere from 1-2.~ MB/s<br>
>I understand the load will increase with the traffic yet these load avg's<br>
>seem pretty high for that amount of traffic. No errors are given about<br>
>running out of open sockets and their is plenty of openfiles overhead for<br>
>the system as well.<br>
>I'm not sure if this is to be expected or if I can tune this VPS to ease th=<br>
>e<br>
>load a little more?<br>
>My fbsd machine (7.2 amd64) here at home doesn't exhibit the same load when<br>
>I hammer the network interface but it's a different nic and isn't a VPS..<br>
>This all may be normal (load avg) but since this is the first time I am<br>
>wading in the pool I thought I'd ask if anyone can confirm this is to be<br>
>expected or if I should tune another system variable to try and lower my<br>
>loads more.<br>
<br>
I'm not sure either, but it may well be normal. My guess is that you<br>
see fairly low CPU utilization at the same time, right? Remember that load<br>
averages are just the average numbers of processes in the run queue at the<br>
instants sampled during the last minute, five minutes, and fifteen minutes.<br>
They have little direct relation to CPU usage.<br>
<br>
>Maybe relevant or not yet;<br>
>I read one of the operators (blutmagie?) compiled openssl with icc and they<br>
>saw some performance gain but it seems icc will not install on the amd64<br>
>platform. I was curious to try that though. If there is some compiling<br>
>options on the amd64 platform I can try I would be willing.<br>
<br>
Interesting. You paid for it, downloaded it into /usr/ports/distfiles,<br>
and then the installation via portmaster/portinstall failed? If so, then<br>
try posting to freebsd-ports@ or to the port maintainer for that port. (You<br>
do need to buy a license from Intel before you can install it.)<br></blockquote><div><br>I wasn't asking for help on the port, I was inquiring if their was any other compiling/compiler<br>options I can try to enhance performance. <br>
Besides Intel allows running the compiler for 30 days to evaluate it. <br>No I didn't buy it, yes I would try it out just for a learning experience. I should of been more clear as well so I wouldn't get a presumptuous attitude.<br>
<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
><br>
>Next; I am curious about privoxy, does anyone have it configured with their<br>
>ip<br>
>in the listen address or do they leave it as 127.0.0.1?<br>
>listen-address <a href="http://127.0.0.1:8118" target="_blank">127.0.0.1:8118</a><br>
>I would like to be able to connect to the machine directly myself, to hop<br>
>onto the tor network,<br>
>and this seems the place to do so. What vulnerabilities does one open up<br>
>though by allowing anyone to connect to that? It's chained to Tor but again<br>
>I'm not sure if that is such a good idea or not to open it. ( I originally<br>
>had it configured to my machine ip and I could indeed connect to the Tor<br>
>network but changed it back until I could hear feedback on this)<br>
<br>
I haven't done that, but it seems to me that if you use a private network<br>
address with no NAT/RDR rules for it in your gateway, then it shouldn't be a<br>
problem. If you're really worried, of course, then you could add another<br>
ipfw rule to block access from outside.<br>
><br>
>One last question is..<br>
>Is it normal for Tor nodes to get hammered with this in their web logs?<br>
>client sent invalid method while reading client request line,<br>
>"^SBitTorrentprotocol^@^@^@^@^@^P^@^EE=C0E=EDT+A=B0^U^R"<br>
>I recorded over 2k of these hits in the first hour Tor was running. When I<br>
>initially ran Tor<br>
>I wasn't getting these, when I first logged into the VPS I wasn't getting<br>
>these, I can't quite give an exact time frame when these started happening<br>
>but it wasn't long after I had Tor running for about an hour and than these<br>
>started coming and haven't stopped.<br>
<br>
What was your choice of ORPort? Was it a port number commonly used by<br>
BitTorrent clients? Are the requests all coming from one IP address that<br>
you could easily block?<br>
<br></blockquote><div>orport is the default port 9001, no the requests are not all from one IP.<br>That would be far too easy and I wouldn't bother the list for something as mundane<br>as that.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
>I actually shut down the web server because of the loads I'm currently<br>
>experiencing and didn't want a connection every 3 seconds of this garbage.<br>
>I understand people will run torrents through Tor but this doesn't seem to<br>
>be the case, it appears that this VPS IP somehow was tied into a seed box<br>
>somewhere at some time.<br>
>Maybe it is an exploit and now that the IP is live everyone in china is<br>
>trying for a fresh piece of meat..<br>
<br>
I keep net.inet.tcp.blackhole=2 in /etc/sysctl.conf to discourage<br>
port scanners and other miscreants. :-) More recently, I've added a generic<br>
block rule with logging to my pf rules, and I've started keeping a window<br>
open with a running display of the output in order to get a clearer picture<br>
of where such stuff comes from. As it happens, well over half of the blocked<br>
connections do come from China, but the rest are from locations scattered<br>
around the rest of the world. Most of the attempts come from repeat offenders.<br>
Because the SYN packets are blocked, the rest get dropped automatically without<br>
logging.<br></blockquote><div><br>I do as well, the setting helps but it doesn't stop the attempted connects unfortunately.<br>Guess both these vps IP's just happen to have history behind them..<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
><br>
>Here is some output, this is mostly httpd with some sshd connections thrown<br>
>in.<br>
>The bulk of these came in the first 15 minutes of the server starting and<br>
>the web server automatically running before I could shut it down.<br>
>ipfw show | grep 400 -c (400 being the rule for all of these connections)<br>
>3311<br>
> uptime<br>
>11:14AM up 18:38, 1 user, load averages: 0.60, 0.82, 0.82<br>
><br>
>now here are some numbers when I start the web server back up in<br>
>comparison..<br>
> ipfw show | grep 400 -c<br>
>3482<br>
> uptime<br>
>11:30AM up 18:54, 1 user, load averages: 1.48, 0.97, 0.87<br>
>those 100 extra bans all came in the whole 1:30 of running the server.<br>
><br>
>That's all that I can think of for now that I have been wondering about for<br>
>the last few days.<br>
><br>
Sorry I can't address more than I have above. Best of luck with it.<br>
<br>
<br>
Scott Bennett, Comm. ASMELG, CFIAG<br>
**********************************************************************<br>
* Internet: bennett at <a href="http://cs.niu.edu" target="_blank">cs.niu.edu</a> *<br>
*--------------------------------------------------------------------*<br>
* "A well regulated and disciplined militia, is at all times a good *<br>
* objection to the introduction of that bane of all free governments *<br>
* -- a standing army." *<br>
* -- Gov. John Hancock, New York Journal, 28 January 1790 *<br>
**********************************************************************<br>
</blockquote></div><br>