August 2019 - tor-commits - lists.torproject.org

[community/staging] Update templates
by pili＠torproject.org 02 Aug '19

02 Aug '19

commit 847f5af05e71f1e676dde8c2e63f4773b3e65b39 Author: hiro <hiro(a)torproject.org> Date: Mon Jul 8 15:08:20 2019 +0200 Update templates --- .../community-resources/good-bad-isps/contents.lr | 52 +++++++++++----------- .../technical-setup/centosrhel/contents.lr | 19 ++++++++ .../technical-setup/debianubuntu/contents.lr | 19 ++++++++ .../technical-setup/fedora/contents.lr | 19 ++++++++ .../technical-setup/freebsd/contents.lr | 19 ++++++++ lego | 2 +- 6 files changed, 103 insertions(+), 27 deletions(-) diff --git a/content/relay-operations/community-resources/good-bad-isps/contents.lr b/content/relay-operations/community-resources/good-bad-isps/contents.lr index c9e52e1..0dd47f8 100644 --- a/content/relay-operations/community-resources/good-bad-isps/contents.lr +++ b/content/relay-operations/community-resources/good-bad-isps/contents.lr @@ -81,7 +81,7 @@ For network diversity and stronger anonymity, you should avoid providers and cou | [UPC Austria GmbH](https://www.upc.at/) | - | - | Yes | Yes | (ISP) does not care what their customers do at all (unless you have a business connection) | 12/2011 | | [Silver Server GmbH](http://sil.at/) | - | -| Yes | Yes | Forwards abuse. Hosts already some big exit/entry nodes which seem to have no problems. Very expensive traffic. | 12/2011 | | [Tele2 Austria GmbH](https://tele2.at/) | - | - | Yes | Yes | Forwards abuse at business connections, good quality traffic, does not like "proxys" on private lines. Cheap synchronous (SDSL) connections. | 12/2011 | -| [A1(former Telekom Austria)](http://a1.net) | - | - | Yes | No | Does not like Abuse (in any form) at all. Seems to give out customer data at alleged abuse. Not recommended but cheap. | 12/2011 | +| [A1(former Telekom Austria)](http://a1.net) | - | - | Yes | No | Does not like Abuse (in any form) at all. Seems to give out customer data at alleged abuse. Not recommended but cheap. | 12/2011 | | [xpirio GmbH](http://xpirio.at) | - | - | Yes | ? | In general rather relaxed at all services, but better get in touch with their (very understanding) support when you expect abuse. | 12/2011 | @@ -106,11 +106,11 @@ For network diversity and stronger anonymity, you should avoid providers and cou | [myLoc Managed IT](https://myloc.de) | AS31010, AS24961 | Yes | Yes | No | - | 2018-10-25 | | [linevast](https://www.linevast.de/) | - | Yes | Yes | Yes | Only allowed on dedicated servers | 13/11/2015 | | [Server4You](https://www.server4you.de/)| - | Yes | Yes | No | Part of [Intergenia AG](http://www.intergenia.de/)), I've asked Server4You support and they state servers with complaints about Tor will be canceled immediately (see the quote in the "Bad Experience" section) | - | -| [Hetzner](http://hetzner.de/) | - | - | Yes | No | Offers good dedicated root servers for a good price. | +| [Hetzner](http://hetzner.de/) | - | - | Yes | No | Offers good dedicated root servers for a good price. | | [Contabo](https://contabo.de) | - | Yes | Yes | Yes | Has no restriction for relays or exit nodes. However, possible abuse complaints will be forwarded to the owner and need to be addressed. | 2018/06 | | [Strato](https://strato.de) | - | - | Yes | No | Exit-Nodes are prohibited by their general terms and conditions | - | | [PraHost](https://www.prahost.com/) | - | - | Yes | Yes | Stated in November 2014 that they allow exit nodes if abuse complaints are handled. Suspends the server if no "valid" action (read: blocking) is taken within 24 hours of an abuse ticket. Their ticket system does not reliably handle email replies, use the web interface instead. | 2017-10-31 | -| [DomainFactory](https://www.df.eu/de/cloud-hosting/cloud-server/) | - | - | Yes | No | - | - | +| [DomainFactory](https://www.df.eu/de/cloud-hosting/cloud-server/) | - | - | Yes | No | - | - | | [NetCologne](https://www.netcologne.de/) | - | - | Yes | Yes | - | - | @@ -130,8 +130,8 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [Online.net](http://www.online.net/) | AS12876 | Yes | Yes | Yes | The account holder is responsible for all the traffic going through theirs servers.| 01/28/2019 | -| [Gandi VPS](https://www.gandi.net/) | - | Yes | Yes | Yes| Gandi send some abuse complaints to Exit relays, but they do not stop the server, and when you tell them your server is a Tor Exit relay, they say it is OK. They ask Exit relays to use the standard Reduced Exit Policy | - | +| [Online.net](http://www.online.net/) | AS12876 | Yes | Yes | Yes | The account holder is responsible for all the traffic going through theirs servers.| 01/28/2019 | +| [Gandi VPS](https://www.gandi.net/) | - | Yes | Yes | Yes| Gandi send some abuse complaints to Exit relays, but they do not stop the server, and when you tell them your server is a Tor Exit relay, they say it is OK. They ask Exit relays to use the standard Reduced Exit Policy | - | | [OVH Kimsufi](http://www.kimsufi.com/) | - | Yes | Yes | No | Changed their TOS in July 2013 and allow Tor as long as they don't notice illegal activities. Exit nodes would eventually be shut down, but relays are allowed. Octave Klaba, CEO of OVH said himself that the TOS have been changed to make them clearer about the use of Tor. Many relays are currently running on Kimsufi servers | - | | [Digicube](http://www.digicube.fr/) | - | Yes | Yes | Yes | - | - | | [Pulse Servers](http://www.pulseservers.com/) | - | Yes | Yes | Yes | VPS uses OVH AS. You can build ANY kind tor relays. | 05/01/2016 | @@ -179,7 +179,7 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [MivoCloud](https://www.mivocloud.com/) | - | Yes | Yes | No | - | 09/13/16 | +| [MivoCloud](https://www.mivocloud.com/) | - | Yes | Yes | No | - | 09/13/16 | | [Trabia](https://www.trabia.com/) | - | Yes | Yes | Yes | - | 08/13/17 | | [AlexHost](https://alexhost.md/) | - | Yes | Yes | Yes | - | 07/21/2014 | @@ -193,17 +193,17 @@ For network diversity and stronger anonymity, you should avoid providers and cou | [verelox](https://verelox.com/) | AS12876 | Yes | Yes | Yes | - | 5/16 | | [HostHatch](https://hosthatch.com/) | AS42708 | Yes | Yes | No | - | 05/01/16 | | Ziggo | AS9143 | Yes | Yes | Yes | - | 05/24/2016 | -| [LiteServer](https://www.liteserver.nl/) | AS60404 | Yes | Yes | Yes | Can pay with Bitcoin. While their AUP doesn\'t allow tor exit nodes, see here[here](https://www.liteserver.nl/en/acceptable-usage-policy/). They make an exception if your exit-node has a reduced exit policy. And you must leave a note to them that you are running a exit-node. "We allow tor exit nodes as long you run a limited exit policy (block SMTP) to avoid abuse. | 12/26/2018 | +| [LiteServer](https://www.liteserver.nl/) | AS60404 | Yes | Yes | Yes | Can pay with Bitcoin. While their AUP doesn\'t allow tor exit nodes, see here[here](https://www.liteserver.nl/en/acceptable-usage-policy/). They make an exception if your exit-node has a reduced exit policy. And you must leave a note to them that you are running a exit-node. "We allow tor exit nodes as long you run a limited exit policy (block SMTP) to avoid abuse. | 12/26/2018 | | [i3D](https://www.i3d.net/) | - | Yes | Yes | Yes | Allows also exits, if abuse is handled properly | 08/13/2017 | -| [KoDDoS](https://koddos.net) | AS206264 | Yes | Yes | Yes | Bitcoin accepted. | 10/12/2017 | +| [KoDDoS](https://koddos.net) | AS206264 | Yes | Yes | Yes | Bitcoin accepted. | 10/12/2017 | | [Worldstream](https://www.worldstream.nl) | AS49981 | Yes | Yes | No | - | 02/06/2019 | | [LeaseWeb](https://www.leaseweb.com/) | - | Yes | Yes | Yes | - | - | | [Novogara](http://www.novogara.com) | - | Yes | Yes | Yes | Explicitly allows Tor exit nodes and forwards abuse/DCMA, but their network isn't the most stable. You need to email them for a custom offer. They also accept Bitcoin/UKash/CashU | - | -| [Netrouting`](http://netrouting.nl/) | - | Yes | Yes | No | ISP has confirmed by e-mail that exit nodes are NOT acceptable. | 2014-10-15 | +| [Netrouting`](http://netrouting.nl/) | - | Yes | Yes | No | ISP has confirmed by e-mail that exit nodes are NOT acceptable. | 2014-10-15 | | [DirectVPS](http://directvps.nl/) | - | Yes | Yes | ? | - | - | | [Versio](http://versio.nl/) | - | Yes | Yes | No | - | 2013 | | [CyberBunker](http://www.cyberbunker.com/) | - | Yes | Yes | Yes | Customers can remain anonymous. | - | -| [SnelServer](https://www.snelserver.com/) | - | Yes | Yes | Yes | Abuse complaints must be responded to within 24 hours or the system automatically suspends your account until you do. | 2014 | +| [SnelServer](https://www.snelserver.com/) | - | Yes | Yes | Yes | Abuse complaints must be responded to within 24 hours or the system automatically suspends your account until you do. | 2014 | | [ChmuraNet](https://www.chmuranet.com/) | - | Yes | Yes | Yes | Allows anonymous users to run tor exits. Abuse issues will be forwarded. Make sure to tell them that you're running an exit | 09/2014 | @@ -224,11 +224,11 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| | [Dataclub](https://www.dataclub.biz) | - | Yes | Yes | Yes | Your Exit should use Reduced Exit Policy | 2016/06/30 | -| [HostHatch](https://hosthatch.com) | AS42708 | Yes | Yes | No | - | 2016/05 | +| [HostHatch](https://hosthatch.com) | AS42708 | Yes | Yes | No | - | 2016/05 | | TeliaSonera | - | Yes | Yes | ? | TeliaSonera is also big in Sweden and deliver where other ISPs can't. | - | | [PRQ](http://prq.se/?p=dedicated&intl=1) | - | Yes | Yes | Yes | - | - | | [Portlane](http://www.portlane.com/) | - | Yes | Yes | Yes | Previously provided connectivity for ThePirateBay, OpenBitTorrent tracker et al. Handles abuse according to "Swedish praxis". | - | -| [Yourserver](https://www.yourserver.se/) | - | Yes | Yes | ? | Support team will allow relay/exit but TOR Traffic is throttled to 5Mbps speed. If your Exit relay receive too much complaints, they will ask to you to stop or otherwise they will suspend. | 2015/03/06 | +| [Yourserver](https://www.yourserver.se/) | - | Yes | Yes | ? | Support team will allow relay/exit but TOR Traffic is throttled to 5Mbps speed. If your Exit relay receive too much complaints, they will ask to you to stop or otherwise they will suspend. | 2015/03/06 | ### Switzerland @@ -237,22 +237,22 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| | [Solar Communications Gmbh](https://solarcom.ch/) | AS197988 | Yes | Yes | No | "We allow to place Tor routers, but don't allow to place Tor exit nodes." This applies to all their partners, who actually sell Solar's services to the public, namely: [Server & cloud](https://server-cloud.com), [CoinsHost](https://coinshost.com), [Incloudibly](https://incloudibly.net), [Cloudcom](https://cloudc.me), [AtomDrive](https://atomdrive.net). Cryptocurrencies are accepted. | 12/04/2015 | -| [fsit](http://www.fsit.ch/) | - | Yes | Yes | Yes | - | 11/2015 | +| [fsit](http://www.fsit.ch/) | - | Yes | Yes | Yes | - | 11/2015 | ### Latvia | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [Yourserver](https://www.yourserver.se/) | - | Yes | Yes | ? | Support team will allow relay/exit but TOR Traffic is throttled to 5Mbps speed. If your Exit relay receive too much complaints, they will ask to you to stop or otherwise they will suspend. | 2015/03/06 | +| [Yourserver](https://www.yourserver.se/) | - | Yes | Yes | ? | Support team will allow relay/exit but TOR Traffic is throttled to 5Mbps speed. If your Exit relay receive too much complaints, they will ask to you to stop or otherwise they will suspend. | 2015/03/06 | ### Canada | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [TekSavvy](http://www.teksavvy.ca) | - | Yes | Yes | ? | has a server-friendly Internet Use Policy (e.g., running a Tor relay) and has taken a stand in favor of net neutrality | 2008/12 | -| [CloudatCost.ca](http://www.cloudatcost.com/) | - | Yes | Yes | ? | operated by Fibernetics, has liberal abuse handling policies [AUP](http://www.cloudatcost.com/terms.php), however Tor is not explicitly allowed. | 2015/02 | +| [TekSavvy](http://www.teksavvy.ca) | - | Yes | Yes | ? | has a server-friendly Internet Use Policy (e.g., running a Tor relay) and has taken a stand in favor of net neutrality | 2008/12 | +| [CloudatCost.ca](http://www.cloudatcost.com/) | - | Yes | Yes | ? | operated by Fibernetics, has liberal abuse handling policies [AUP](http://www.cloudatcost.com/terms.php), however Tor is not explicitly allowed. | 2015/02 | | [oneprovider](http://oneprovider.com/) | - | Yes | Yes | Yes | They are reselling dedicated servers in many locations around the world. Abuse handling differs depending on the provider from which they resell. | 2016/06 | @@ -261,7 +261,7 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [Tus Hosting](http://www.tushosting.si/) | - | Yes | Yes | Yes | They just simply forward DMCA notices to us to handle (or ignore) them | - | +| [Tus Hosting](http://www.tushosting.si/) | - | Yes | Yes | Yes | They just simply forward DMCA notices to us to handle (or ignore) them | - | @@ -269,14 +269,14 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| | [UrDN](http://urdn.com.ua) | - | Yes | Yes | Yes | free speech hoster, allows anything but spam/scam. Abuse always forwarded. | 10/08/2015 | -| [Colocall](http://www.colocall.net/) | - | Yes | Yes | Yes | - | - | +| [Colocall](http://www.colocall.net/) | - | Yes | Yes | Yes | - | - | ### Lithuania | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [Baltic Servers](http://www.balticservers.com) | - | Yes | Yes | Yes | All abuse mails they got yielded support tickets | - | +| [Baltic Servers](http://www.balticservers.com) | - | Yes | Yes | Yes | All abuse mails they got yielded support tickets | - | ### New Zealand and Australia @@ -284,7 +284,7 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| | [HostHatch](https://hosthatch.com/) | AS36351 | Yes | Yes | No | Their VPS location is: Sydney, AU - Equinix IBX SY3 Data Center.Their ISP is:SoftLayer network, which includes primary transit from Telstra and peering with Equinix, Pipe-IX, NSW-IX and Megaport. | - | -| [Rimu hosting](http://rimuhosting.com) | - | Yes | Yes | Yes | Have servers in N.Z.; Sydney; London; and Dallas. Locations may vary, but quite happy with the specific Oz/NZ query. | - | +| [Rimu hosting](http://rimuhosting.com) | - | Yes | Yes | Yes | Have servers in N.Z.; Sydney; London; and Dallas. Locations may vary, but quite happy with the specific Oz/NZ query. | - | @@ -298,20 +298,20 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [T-Systems`](http://www.t-systems.cz/) | - | Yes | Yes | ? | - | +| [T-Systems`](http://www.t-systems.cz/) | - | Yes | Yes | ? | - | ### Poland | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| [Hitme.net.pl](http://hitme.net.pl/) | - | Yes | Yes | Yes | - | 12/06/2017 | -| [Hostowisko.pl](http://www.hostowisko.pl/) | - | Yes | Yes | ? | - | 27/08/2013 | -| [Exone](http://www.exone.pl/) | - | Yes | Yes | ? | - | 28/08/2013 | +| [Hitme.net.pl](http://hitme.net.pl/) | - | Yes | Yes | Yes | - | 12/06/2017 | +| [Hostowisko.pl](http://www.hostowisko.pl/) | - | Yes | Yes | ? | - | 27/08/2013 | +| [Exone](http://www.exone.pl/) | - | Yes | Yes | ? | - | 28/08/2013 | | [e24cloud](http://www.e24cloud.com/en) | - | Yes | Yes | ? | - | 01/10/2013 | | [hostinger.pl](http://www.hostinger.pl) | - | Yes | Yes | Yes | 02/10/2013 | | [statnet.pl](http://www.statnet.pl/) | - | No | No | No | Used to allow Tor-relays, but now is blocking Tor activity | 12/06/2017 | -| [IQ PL](http://www.iq.pl/) | - | Yes | Yes | Yes | They allow running exit node on collocated dedicated server | - | +| [IQ PL](http://www.iq.pl/) | - | Yes | Yes | Yes | They allow running exit node on collocated dedicated server | - | | [Slask DataCenter](https://sldc.eu/) | - | Yes | Yes | Yes | - | 21/02/2018 | @@ -319,7 +319,7 @@ For network diversity and stronger anonymity, you should avoid providers and cou | **Company/ISP** | **ASN** | **Bridges** | **Relay** | **Exit** | **Comments** | **Last Updated** | |-------------------------|-------------|-----------------|--------------|-------------|---------------------|------------------------| -| Axtel | - | Yes | Yes | ? | Currently some Guard / Middle nodes are running in Axtel network | 2019 | +| Axtel | - | Yes | Yes | ? | Currently some Guard / Middle nodes are running in Axtel network | 2019 | diff --git a/content/relay-operations/technical-setup/centosrhel/contents.lr b/content/relay-operations/technical-setup/centosrhel/contents.lr new file mode 100644 index 0000000..28f5d71 --- /dev/null +++ b/content/relay-operations/technical-setup/centosrhel/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: CentOS +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: CentOS +--- +_slug: {{centos}} diff --git a/content/relay-operations/technical-setup/debianubuntu/contents.lr b/content/relay-operations/technical-setup/debianubuntu/contents.lr new file mode 100644 index 0000000..28f5d71 --- /dev/null +++ b/content/relay-operations/technical-setup/debianubuntu/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: CentOS +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: CentOS +--- +_slug: {{centos}} diff --git a/content/relay-operations/technical-setup/fedora/contents.lr b/content/relay-operations/technical-setup/fedora/contents.lr new file mode 100644 index 0000000..9236220 --- /dev/null +++ b/content/relay-operations/technical-setup/fedora/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: Fedora +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: Fedora +--- +_slug: {{fedora}} diff --git a/content/relay-operations/technical-setup/freebsd/contents.lr b/content/relay-operations/technical-setup/freebsd/contents.lr new file mode 100644 index 0000000..28f5d71 --- /dev/null +++ b/content/relay-operations/technical-setup/freebsd/contents.lr @@ -0,0 +1,19 @@ +_model: page +--- +title: CentOS +--- +html: two-columns-page.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 3 +--- +body: + + +--- +subtitle: CentOS +--- +_slug: {{centos}} diff --git a/lego b/lego index 55784cf..4436f9b 160000 --- a/lego +++ b/lego @@ -1 +1 @@ -Subproject commit 55784cf553a4dbac0ef1bb49e33be6d0b23c91f1 +Subproject commit 4436f9bd93387785ad92f49bfeecda2d3d57df15

1 0

[community/staging] better strings for l10n
by pili＠torproject.org 02 Aug '19

02 Aug '19

commit 7578c61e3a07aa3367ee796d8b561089a0b4d323 Author: emma peel <emma.peel(a)riseup.net> Date: Wed Jul 24 16:34:22 2019 +0200 better strings for l10n --- .../tor-abuse-templates/contents.lr | 272 ++++++++------------- .../tor-exit-guidelines/contents.lr | 36 ++- 2 files changed, 123 insertions(+), 185 deletions(-) diff --git a/content/relay-operations/community-resources/tor-abuse-templates/contents.lr b/content/relay-operations/community-resources/tor-abuse-templates/contents.lr index e57afb2..949df7f 100644 --- a/content/relay-operations/community-resources/tor-abuse-templates/contents.lr +++ b/content/relay-operations/community-resources/tor-abuse-templates/contents.lr @@ -6,15 +6,21 @@ body: # Before You Start -The best way to handle abuse complaints is to set up your exit node so that they are less likely to be sent in the first place. Please see [Tips for Running an Exit Node with Minimal Harassment](https://blog.torproject.org/running-exit-node) and [Tor Exit Guidelines](tor-exit-guidelines) for more info, before reading this document. +The best way to handle abuse complaints is to set up your exit node so that they are less likely to be sent in the first place. +Please see [Tips for Running an Exit Node with Minimal Harassment](https://blog.torproject.org/running-exit-node) and [Tor Exit Guidelines](tor-exit-guidelines) for more info, before reading this document. Below are a collection of letters you can use to respond to your ISP about their complaint in regards to your Tor exit server. ## Format and Philosophy of Templates -The general format of these templates is to inform the complaintant about Tor, to help them to find a solution to their particular issue that works in general for the Internet at large (open wifi, open proxies, botnets, etc), and barring all else, how to block Tor. The philosophy of the Tor Project is that abuse should be handled proactively by the site administrators, rather than wasting effort and resources on seeking vengeance and chasing ghosts. +The general format of these templates is to inform the complaintant about Tor, to help them to find a solution to their particular issue that works in general for the Internet at large (open wifi, open proxies, botnets, etc), and barring all else, how to block Tor. +The philosophy of the Tor Project is that abuse should be handled proactively by the site administrators, rather than wasting effort and resources on seeking vengeance and chasing ghosts. -The difference between the proactive approach and the reactive approach to abuse is the difference between decentralized fault-tolerant Internet freedom, and fragile, corruptible totalitarian control. To further preach to the choir, the identity-based Internet "driver's licenses" of South Korea and China have done nothing to curtail cybercrime and Internet abuse. In fact, all [objective evidence](http://boingboing.net/2011/08/12/south-korea-to-abandon-real-name… seems to indicate that it has only created new markets for organized crime to preside over. This is the core idea that these abuse complaint templates attempt to instil in the recipient. Feel free to improve them if you feel they fall short of this goal. +The difference between the proactive approach and the reactive approach to abuse is the difference between decentralized fault-tolerant Internet freedom, and fragile, corruptible totalitarian control. +To further preach to the choir, the identity-based Internet "driver's licenses" of South Korea and China have done nothing to curtail cybercrime and Internet abuse. +In fact, all [objective evidence](http://boingboing.net/2011/08/12/south-korea-to-abandon-real-name… seems to indicate that it has only created new markets for organized crime to preside over. +This is the core idea that these abuse complaint templates attempt to instil in the recipient. +Feel free to improve them if you feel they fall short of this goal. All templates should include the Common Boilerplate below, and append some additional paragraphs depending on the specific Scenario. @@ -24,52 +30,37 @@ All templates should include the Common Boilerplate below, and append some addit The IP address in question is a Tor exit node. https://www.torproject.org/overview.html -There is little we can do to trace this matter further. As can be seen -from the overview page, the Tor network is designed to make tracing of -users impossible. The Tor network is run by some 5000 volunteers who -use the free software provided by the Tor Project to run Tor routers. -Client connections are routed through multiple relays, and are -multiplexed together on the connections between relays. The system -does not record logs of client connections or previous hops. - -This is because the Tor network is a censorship resistance, privacy, -and anonymity system used by whistle blowers, journalists, Chinese -dissidents skirting the Great Firewall, abuse victims, stalker -targets, the US military, and law enforcement, just to name a few. +There is little we can do to trace this matter further. As can be seen from the overview page, the Tor network is designed to make tracing of +users impossible. The Tor network is run by some 5000 volunteers who use the free software provided by the Tor Project to run Tor routers. +Client connections are routed through multiple relays, and are multiplexed together on the connections between relays. +The system does not record logs of client connections or previous hops. + +This is because the Tor network is a censorship resistance, privacy, and anonymity system used by whistle blowers, journalists, Chinese dissidents skirting the Great Firewall, abuse victims, stalker targets, the US military, and law enforcement, just to name a few. See https://www.torproject.org/about/torusers.html.en for more info. -Unfortunately, some people misuse the network. However, compared to -the rate of legitimate use (the IP range in question processes nearly -a gigabit of traffic per second), abuse complaints are rare. -https://www.torproject.org/docs/faq-abuse.html.en +Unfortunately, some people misuse the network. However, compared to the rate of legitimate use (the IP range in question processes nearly +a gigabit of traffic per second), [abuse complaints are rare](https://www.torproject.org/docs/faq-abuse.html.en). ``` ## Abuse Scenarios -The following scenario-specific paragraphs should be appended to the Common Boilerplate paragraphs above. The common boilerplate should be abridged or be omitted if the abuse complaintant is already familiar with Tor. +The following scenario-specific paragraphs should be appended to the Common Boilerplate paragraphs above. +The common boilerplate should be abridged or be omitted if the abuse complaintant is already familiar with Tor. ## Comment/Forum Spam ``` This does not mean that nothing can be done, however. -The Tor project provides an automated DNSRBL for you to query to flag -posts coming from Tor nodes as requiring special review. You can also -use this DNSRBL to only allow Tor IPs to read but not -post comments. https://www.torproject.org/projects/tordnsel.html.en - -However, be aware that this may be just one jerk amongst many -legitimate Tor users who use your forums. You might have luck getting -rid of this jerk by temporarily limiting account creation to require -Gmail accounts before posting, or by requiring account creation be -done over non-Tor before posting. - -In general, we believe that problems like this are best solved by -improving your service to defend against the attack from the Internet -at large. Brute force login attempts can be reduced/slowed by -captchas, which is the approach taken by Gmail for this same problem. -In fact, Google provides a free captcha service, complete with code -for easy inclusion in a number of systems to help other sites deal +The Tor Project provides an automated DNSRBL for you to query to flag posts coming from Tor nodes as requiring special review. +You can also use this DNSRBL to only allow Tor IPs to read but not post comments. https://www.torproject.org/projects/tordnsel.html.en + +However, be aware that this may be just one jerk amongst many legitimate Tor users who use your forums. +You might have luck getting rid of this jerk by temporarily limiting account creation to require Gmail accounts before posting, or by requiring account creation be done over non-Tor before posting. + +In general, we believe that problems like this are best solved by improving your service to defend against the attack from the Internet at large. +Brute force login attempts can be reduced/slowed by captchas, which is the approach taken by Gmail for this same problem. +In fact, Google provides a free captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html ``` @@ -78,66 +69,43 @@ with this issue: https://code.google.com/apis/recaptcha/intro.html ``` In addition, our nodes do not allow SMTP traffic to be sent using our IPs. -Upon investigation, it appears that the source of the spam is due to -an abusive or compromised webmail gateway running at: -<web server here>. Did you contact their abuse department? +Upon investigation, it appears that the source of the spam is due to an abusive or compromised webmail gateway running at: +<web server here>. +Did you contact their abuse department? ``` ## Google Groups Spam ``` -It appears that your specific abuse complaint was generated by an -authenticated Google Groups user. Inspecting the headers reveals that -the abuse complaint address for Google Groups is -groups-abuse(a)google.com. Contacting this address will give you better -luck at actually having this abuser's Google Groups account canceled -than will chasing down Tor nodes, proxies, and open wireless access -points. - -Additionally, if your news reader supports killfiles, you may be -interested in using the Tor Bulk Exit list script to download a list of -IPs to include in your killfile for posts that match "NNTP-Posting-Host: +It appears that your specific abuse complaint was generated by an authenticated Google Groups user. +Inspecting the headers reveals that the abuse complaint address for Google Groups is groups-abuse(a)google.com. +Contacting this address will give you better luck at actually having this abuser's Google Groups account canceled than will chasing down Tor nodes, proxies, and open wireless access points. + +Additionally, if your news reader supports killfiles, you may be interested in using the Tor Bulk Exit list script to download a list of IPs to include in your killfile for posts that match "NNTP-Posting-Host: <ip>" https://check.torproject.org/cgi-bin/TorBulkExitList.py ``` ## DoS Attacks and Scraping Robots ``` -We're sorry your site is experiencing this heavy load from Tor. - -However, it is possible that your rate limiting alarms simply -experienced a false positive due to the amount of traffic that flows -through the router. We provide service to almost a gigabit of traffic -per second, 98% of which is web traffic. - -If the attack is real and ongoing, however, the Tor project provides -an automated DNSRBL for you to query to block login attempts coming +We're sorry your site is experiencing this heavy load from Tor. + +However, it is possible that your rate limiting alarms simply experienced a false positive due to the amount of traffic that flows through the router. +We provide service to almost a gigabit of traffic per second, 98% of which is web traffic. + +If the attack is real and ongoing, however, the Tor project provides an automated DNSRBL for you to query to block login attempts coming from Tor nodes: https://www.torproject.org/projects/tordnsel.html.en - -It is also possible to download a list of all Tor exit IPs that will -connect to your server port: + +It is also possible to download a list of all Tor exit IPs that will connect to your server port: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=YOUR_IP&port=80 -In general however, we believe that problems like this are best solved -by improving the service to defend against the attack from the Internet -at large. - -Scraping and robot activity can be reduced/slowed by captchas, which is -the approach taken by Gmail for this same problem. In fact, Google -provides a free captcha service, complete with code for easy inclusion -in a number of systems to help other sites deal with this issue: -https://code.google.com/apis/recaptcha/intro.html - -Slow DoS attacks aimed to consume the Apache MaxClients limit -(http://www.guerilla-ciso.com/archives/2049) can be alleviated by -reducing the httpd.conf TimeOut and KeepAliveTimeout config values -to 15-30 and raising the ServerLimit and MaxClients values to -something like 3000. - -If this fails, DoS attempts can also be solved with iptables-based rate -limiting solutions, load balancers such as nginx, and also IPS devices, -but be aware that Internet traffic is not always uniform in quantity by -IP, due to large corporate and even national outproxies, NATs, and -services like Tor. +In general however, we believe that problems like this are best solved by improving the service to defend against the attack from the Internet at large. + +Scraping and robot activity can be reduced/slowed by captchas, which is the approach taken by Gmail for this same problem. +In fact, Google provides a free captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html + +Slow DoS attacks [aimed to consume the Apache MaxClients limit](http://www.guerilla-ciso.com/archives/2049) can be alleviated by reducing the httpd.conf TimeOut and KeepAliveTimeout config values to 15-30 and raising the ServerLimit and MaxClients values to omething like 3000. + +If this fails, DoS attempts can also be solved with iptables-based rate limiting solutions, load balancers such as nginx, and also IPS devices, but be aware that Internet traffic is not always uniform in quantity by IP, due to large corporate and even national outproxies, NATs, and services like Tor. http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_wi… http://cd34.com/blog/webserver/ddos-attack-mitigation/ http://deflate.medialayer.com/ @@ -147,118 +115,72 @@ http://deflate.medialayer.com/ ## Brute Force Web Attacks ``` -We're sorry your account has been brute forced. We can try to prevent -our node from connecting to this site, but since the Tor network -has 800 or so exits, doing so wouldn't really stop the action long -term. The attacker would probably just chain an open proxy after Tor, -or just use open wireless and/or a proxy without Tor. - -The Tor project does provide an automated DNSRBL for you to query to -flag requests from Tor nodes as requiring special treatment: -https://www.torproject.org/projects/tordnsel.html.en - -In general, we believe that problems like this are best solved by -improving the service to defend against the attack from the Internet -at large rather than specifically tailoring behavior for Tor. Brute -force login attempts can be reduced/slowed by captchas, which is the -approach taken by Gmail for this same problem. In fact, Google -provides a free captcha service, complete with code for easy inclusion -in a number of systems to help other sites deal with this issue: -https://code.google.com/apis/recaptcha/intro.html +We're sorry your account has been brute forced. We can try to prevent our node from connecting to this site, but since the Tor network has 800 or so exits, doing so wouldn't really stop the action long term. +The attacker would probably just chain an open proxy after Tor, or just use open wireless and/or a proxy without Tor. + +The Tor project does provide an automated DNSRBL for you to query to flag requests from Tor nodes as requiring special treatment: https://www.torproject.org/projects/tordnsel.html.en + +In general, we believe that problems like this are best solved by improving the service to defend against the attack from the Internet at large rather than specifically tailoring behavior for Tor. +Brute force login attempts can be reduced/slowed by captchas, which is the approach taken by Gmail for this same problem. +In fact, Google provides a free captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html ``` ## SSH Bruteforce Attempts ``` -If you are concerned about SSH scans, you might consider running your -SSHD on a port other than the default of 22. Many worms, scanners, and -botnets scan the entire Internet looking for SSH logins. The fact that -a few logins happened to come from Tor is likely a small blip on your -overall login attempt rate. You might also consider a rate limiting -solution: -https://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/ - -If it is in fact a serious problem specific to Tor, the Tor project -provides an automated DNSRBL for you to query to block login attempts -coming from Tor nodes: https://www.torproject.org/projects/tordnsel.html.en - -It is also possible to download a list of all Tor exit IPs that will -connect to your SSH port: -https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=YOUR_IP&port=22 - -You can use this list to create iptables rules to block the network. -However, we still recommend using the general approach, as the attack -will likely simply reappear from an open proxy or other IP once Tor -is blocked. +If you are concerned about SSH scans, you might consider running your SSHD on a port other than the default of 22. +Many worms, scanners, and botnets scan the entire Internet looking for SSH logins. +The fact that a few logins happened to come from Tor is likely a small blip on your overall login attempt rate. +You might also consider a rate limiting solution: https://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/ + +If it is in fact a serious problem specific to Tor, the Tor project provides an automated DNSRBL for you to query to block login attempts coming from Tor nodes: https://www.torproject.org/projects/tordnsel.html.en + +It is also possible to download a list of all Tor exit IPs that will connect to your SSH port: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=YOUR_IP&port=22 + +You can use this list to create iptables rules to block the network. +However, we still recommend using the general approach, as the attack will likely simply reappear from an open proxy or other IP once Tor is blocked. ``` -## Hacked Gmail, Web Forum, or Misc Account Access +## Hacked Gmail, Web Forum, or Misc Account Access ``` -With respect to your account, given that the attacker used Tor -and not a large botnet (or your machine's IP itself), it is likely -that your password was either harvested off of your machine from a -keylogger, or it was captured via a kiosk, or from open wireless. - -Our recommendation is to treat this event as though there was a login -from an open wireless access point in your city. Reset your password, -and if you don't have antivirus already, download the free AVG: -http://free.avg.com/us-en/download, Spybot SD: -http://www.safer-networking.org/nl/home/index.html, and/or AdAware: -http://www.lavasoft.com/?domain=lavasoftusa.com. Use these to scan to -check for keyloggers or spyware that someone with access to your -computer may have installed. - -To help protect yourself while using open wireless, consider using this -Firefox plugin: https://www.eff.org/https-everywhere/ and encourage the +With respect to your account, given that the attacker used Tor and not a large botnet (or your machine's IP itself), it is likely that your password was either harvested off of your machine from a keylogger, or it was captured via a kiosk, or from open wireless. + +Our recommendation is to treat this event as though there was a login from an open wireless access point in your city. Reset your password, and if you don't have antivirus already, download the free AVG: http://free.avg.com/us-en/download, Spybot SD: http://www.safer-networking.org/nl/home/index.html, and/or AdAware: http://www.lavasoft.com/?domain=lavasoftusa.com. +Use these to scan to check for keyloggers or spyware that someone with access to your computer may have installed. + +To help protect yourself while using open wireless, consider using this Firefox plugin: https://www.eff.org/https-everywhere/ and encourage the site maintainer to support HTTPS logins. ``` ## Hacking (PHP Webshells, XSS, SQL Injection) ``` -This also does not mean that there is nothing that can be done. For -serious incidents, traditional police work techniques of running -stings and investigating to determine means, motive, and opportunity -are still very effective. - -Additionally, the Tor project provides an automated DNSRBL for you to -query to flag visitors coming from Tor nodes as requiring special -treatment: https://www.torproject.org/projects/tordnsel.html.en. The same list is -available through the Tor Bulk Exit List: -https://check.torproject.org/cgi-bin/TorBulkExitList.py - -However, rather than banning legitimate Tor users from using your -service in general, we recommend ensuring that such services are updated -and maintained to free of vulnerabilities that can lead to -situations such as this (PHP webshell/XSS compromise/SQL Injection -compromise). +This also does not mean that there is nothing that can be done. +For serious incidents, traditional police work techniques of running stings and investigating to determine means, motive, and opportunity are still very effective. + +Additionally, the Tor project provides an automated DNSRBL for you to query to flag visitors coming from Tor nodes as requiring special treatment: https://www.torproject.org/projects/tordnsel.html.en. +The same list is available through the Tor Bulk Exit List: https://check.torproject.org/cgi-bin/TorBulkExitList.py + +However, rather than banning legitimate Tor users from using your service in general, we recommend ensuring that such services are updated and maintained to free of vulnerabilities that can lead to situations such as this (PHP webshell/XSS compromise/SQL Injection compromise). ``` -## E-Commerce Fraud +## E-Commerce Fraud ``` -This also does not mean that there is nothing that can be done. For -serious incidents, traditional police work techniques of running -stings and investigating to determine means, motive, and opportunity -are still very effective. +This also does not mean that there is nothing that can be done. +For serious incidents, traditional police work techniques of running stings and investigating to determine means, motive, and opportunity are still very effective. -Additionally, the Tor project provides an automated DNSRBL for you to -query to flag orders coming from Tor nodes as requiring special -review: https://www.torproject.org/projects/tordnsel.html.en +Additionally, the Tor project provides an automated DNSRBL for you to query to flag orders coming from Tor nodes as requiring special review: https://www.torproject.org/projects/tordnsel.html.en -It also provides a Bulk Exit List service for retrieving the entire list: -https://check.torproject.org/cgi-bin/TorBulkExitList.py +It also provides a Bulk Exit List service for retrieving the entire list: https://check.torproject.org/cgi-bin/TorBulkExitList.py -You can use this list to help you take a closer look at Tor orders, or -to hold them temporarily for additional verification, without losing +You can use this list to help you take a closer look at Tor orders, or to hold them temporarily for additional verification, without losing legitimate customers. -In fact, in my experience, the fraud processing teams contracted by -many ISPs simply mark all requests from Tor nodes as fraud using that -very list. So it is even possible this is a legitimate order, but was -flagged as fraud solely based on IP, especially if you contract out -fraud detection to a third party. +In fact, in my experience, the fraud processing teams contracted by many ISPs simply mark all requests from Tor nodes as fraud using that +very list. +So it is even possible this is a legitimate order, but was flagged as fraud solely based on IP, especially if you contract out fraud detection to a third party. ``` ## Threats of Violence (Advice for Real-Time Discussion) @@ -266,11 +188,11 @@ fraud detection to a third party. If a serious abuse complaint not covered by this template set arrives, the best answer is to follow a pattern with the complaining party. This is not legal advice. This was not written or reviewed by a lawyer. It was written by someone with experience in working with various ISPs who had issues with a Tor exit node on their network. It has also been reviewed by someone who works in Abuse at a major ISP. * Read the [Tor Overview](https://2019.www.torproject.org/about/overview.html.en). Be prepared to summarize and answer basic questions. Assume the person with which you're going to converse knows nothing about Tor. Assume this same person isn't going to trust anything you say. - * In serious cases, such as harassment email or death threats, it is often helpful to draw an analogy to situations in the physical world where an action is perpetrated by an anonymous individual (such as delivering the notice via postal mail). + * In serious cases, such as harassment email or death threats, it is often helpful to draw an analogy to situations in the physical world where an action is perpetrated by an anonymous individual (such as delivering the notice via postal mail). * Remind them that traditional policework can still be used to determine who had the means, motive, and opportunity to commit the crime. - * Arrange to talk with or directly email the complaintant. + * Arrange to talk with or directly email the complaintant. * During the conversation make sure you explain a few points: - * You are not the perpetrator of the issue. + * You are not the perpetrator of the issue. * You are a responsible server operator and concerned about the complaintant's problem. * You are not insane. You may be insane, but we don't want the complaintant to guess this is true. * In many cases, your ISP will be involved as a conduit for the 3rd party complaintant. Your ISP wants to know: diff --git a/content/relay-operations/community-resources/tor-exit-guidelines/contents.lr b/content/relay-operations/community-resources/tor-exit-guidelines/contents.lr index a7f098e..64e60d3 100644 --- a/content/relay-operations/community-resources/tor-exit-guidelines/contents.lr +++ b/content/relay-operations/community-resources/tor-exit-guidelines/contents.lr @@ -6,21 +6,29 @@ body: These guidelines are meant to give you a quick introduction into the business of running your own exit relay. -NOTE: This FAQ is for informational purposes only and does not constitute legal advice. Our aim is to provide a general description of the legal issues surrounding Tor exit relaying. Different factual situations and different legal jurisdictions will result in different answers to a number of questions. Therefore, please do not act on this information alone; if you have any specific legal problems, issues, or questions, seek a complete review of your situation with a lawyer licensed to practice in your jurisdiction. +NOTE: +This FAQ is for informational purposes only and does not constitute legal advice. +Our aim is to provide a general description of the legal issues surrounding Tor exit relaying. Different factual situations and different legal jurisdictions will result in different answers to a number of questions. +Therefore, please do not act on this information alone; if you have any specific legal problems, issues, or questions, seek a complete review of your situation with a lawyer licensed to practice in your jurisdiction. ## Hosting ### Tor at Universities: Find allies. -Find some professors (or deans!) who like the idea of supporting and/or researching anonymity on the Internet. If possible, use an extra IP range whose abuse contact doesn't go through the main university abuse team. Ideally, use addresses that are not trusted by the IP-based authentication many library-related services use -- if the university's entire IP address space is "trusted" to access these library resources, the university is forced to maintain an iron grip on all its addresses. Also read [How do I make my University / ISP / etc happy with my exit node?](tor-relay-universities) +Find some professors (or deans!) who like the idea of supporting and/or researching anonymity on the Internet. +If possible, use an extra IP range whose abuse contact doesn't go through the main university abuse team. Ideally, use addresses that are not trusted by the IP-based authentication many library-related services use -- if the university's entire IP address space is "trusted" to access these library resources, the university is forced to maintain an iron grip on all its addresses. +Also read [How do I make my University / ISP / etc happy with my exit node?](tor-relay-universities) ### Find Tor-friendly ISPs. -A good ISP is one that offers cheap bandwidth and is not being used by other members of the Tor community. Before you continue, you may ask the Tor community if your choice is a good one. We very much need diversity, and it does not help if we pool too many exits at one friendly ISP. +A good ISP is one that offers cheap bandwidth and is not being used by other members of the Tor community. +Before you continue, you may ask the Tor community if your choice is a good one. +We very much need diversity, and it does not help if we pool too many exits at one friendly ISP. In any case, add the ISP to the [GoodBadISPs](good-bad-isps) page. -To find an ISP, go through forums and sites where ISPs posts their latest deals, and contact them about Tor hosting. Once you identified your ISP, you can follow the two-step advice of TorServers.net. +To find an ISP, go through forums and sites where ISPs posts their latest deals, and contact them about Tor hosting. +Once you identified your ISP, you can follow the two-step advice of TorServers.net. 1. Ask if the ISP is okay with a Tor exit @@ -28,7 +36,6 @@ To find an ISP, go through forums and sites where ISPs posts their latest deals, The two-step process usually helps in elevating your request to higher levels of support staff without scaring them off too early, even if you don't end up with your own IP range. Here is template you can use: [Inquiry](https://www.torservers.net/wiki/hoster/inquiry) - ## Legal ### Make sure you know the relevant legal paragraphs for common-carrier like communication services in your country (and the country of your hosting provider!). @@ -54,7 +61,9 @@ Depending on the chosen form, setting up a legal body might help with liability, ### Consider preemptively teaching your local law enforcement about Tor. -"Cybercrime" people actually love it when you offer to [teach them about Tor and the Internet](https://blog.torproject.org/blog/talking-german-police-stuttgart) -- they're typically overwhelmed by their jobs and don't have enough background to know where to start. Contacting them gives you a chance to teach them why Tor is useful to the world (and why it's [not particularly helpful to criminals](https://2019.www.torproject.org/docs/faq-abuse#WhatAboutCriminal…. Also, if they do get a report about your relay, they'll think of you as a helpful expert rather than a potential criminal. +"Cybercrime" people actually love it when you offer to [teach them about Tor and the Internet](https://blog.torproject.org/blog/talking-german-police-stuttgart) -- they're typically overwhelmed by their jobs and don't have enough background to know where to start. +Contacting them gives you a chance to teach them why Tor is useful to the world (and why it's [not particularly helpful to criminals](https://2019.www.torproject.org/docs/faq-abuse#WhatAboutCriminal…. +Also, if they do get a report about your relay, they'll think of you as a helpful expert rather than a potential criminal. ## Handling abuse complaints @@ -70,7 +79,9 @@ In addition to the [templates at Torservers.net](https://www.torservers.net/wiki ### If you receive a threatening letter from a lawyer about abusive use or a DMCA complaint, also don't freak out. -We are not aware of any case that made it near a court, and we will do everything in our power to support you if it does. You can look up if an IP address was listed as an exit relay at a given time at [ExoneraTor](https://exonerator.torproject.org/). Point to that page in your reply to the complaint. If you feel it might be helpful, we can write you a signed letter confirming this information: Contact us at tor-assistants(a)torproject.org if you need one. +We are not aware of any case that made it near a court, and we will do everything in our power to support you if it does. +You can look up if an IP address was listed as an exit relay at a given time at [ExoneraTor](https://exonerator.torproject.org/). Point to that website in your reply to the complaint. +If you feel it might be helpful, we can write you a signed letter confirming this information: Contact us at tor-assistants(a)torproject.org if you need one. In your reply, state clearly that you are not liable for forwarded content passing through your machine, and include the relevant legal references for your country. @@ -78,7 +89,10 @@ In your reply, state clearly that you are not liable for forwarded content passi ### Make the WHOIS info point as close to you as possible. -One of the biggest reasons exit relays disappear is because the people answering the abuse address get nervous and ask you to stop. If you can get your own IP block, great. Even if not, many providers will still reassign subblocks to you if you ask. ARIN uses [SWIP](https://www.arin.net/resources/request/reassignments.html), and RIPE uses something similar. You can also add comments to your range, hinting at your usage as anonymization service ([Example](https://apps.db.ripe.net/search/query.html?searchtext=ZWIEBELFREUN…) If you have questions about the process, please write an email to support(a)torservers.net and we will try to explain the process to you. +One of the biggest reasons exit relays disappear is because the people answering the abuse address get nervous and ask you to stop. +If you can get your own IP block, great. Even if not, many providers will still reassign subblocks to you if you ask. +ARIN uses [SWIP](https://www.arin.net/resources/request/reassignments.html), and RIPE uses something similar. You can also add comments to your range, hinting at your usage as anonymization service ([Example](https://apps.db.ripe.net/search/query.html?searchtext=ZWIEBELFREUN…) +If you have questions about the process, please write an email to support(a)torservers.net and we will try to explain the process to you. ### Register a phone number and a fax number as abuse contact. @@ -86,7 +100,8 @@ At least law enforcement in Germany regularly uses the fax and phone numbers pre ### Consider using the Reduced Exit Policy. -The [Reduced Exit Policy](FIXME) is an alternative to the default exit policy. It allows many Internet services while still blocking the majority of TCP ports. This drastically reduces the odds that a Bittorrent user will select your node and thus reduces or even eliminates the number of [DMCA complaints](https://2019.www.torproject.org/eff/tor-dmca-response) you will receive. +The [Reduced Exit Policy](FIXME) is an alternative to the default exit policy. It allows many Internet services while still blocking the majority of TCP ports. +This drastically reduces the odds that a Bittorrent user will select your node and thus reduces or even eliminates the number of [DMCA complaints](https://2019.www.torproject.org/eff/tor-dmca-response) you will receive. If you have your own experience of abuse handling, just share it on our public mailing list or write us an email to tor-assistants(a)torproject.org. @@ -104,7 +119,8 @@ A disclaimer helps giving people the right idea about what is behind traffic com * Disk encryption might be useful to protect your node keys, but on the other hand unencrypted machines are easier to "audit" if required. We feel it's best to be able to easily show that you do Tor exiting, and nothing else (on that IP or server). -* Set reverse DNS to something that signals its use, e.g. 'anonymous-relay', 'proxy', 'tor-proxy'. so when other people see the address in their web logs, they will more quickly understand what's going on. If you do, and if SMTP is allowed in your exit policy, consider configuring [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) on your domain: this will protect you from users using your exit node to forge e-mails which look like they come from you. +* Set reverse DNS to something that signals its use, e.g. 'anonymous-relay', 'proxy', 'tor-proxy'. so when other people see the address in their web logs, they will more quickly understand what's going on. +If you do, and if SMTP is allowed in your exit policy, consider configuring [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) on your domain: this will protect you from users using your exit node to forge e-mails which look like they come from you. --- html: two-columns-page.html ---

1 0

[community/staging] Merge because master was updated
by pili＠torproject.org 02 Aug '19

02 Aug '19

commit 9f4b5a58a61ffb30770714c54723703933f31351 Merge: d48c8c0 1f3016e Author: emma peel <emma.peel(a)riseup.net> Date: Wed Jul 24 14:24:55 2019 +0200 Merge because master was updated .../community-resources/good-bad-isps/contents.lr | 257 ++++++++++----------- 1 file changed, 122 insertions(+), 135 deletions(-)

1 0

[tor-browser-build/master] Bug 30701: Adding node project
by boklm＠torproject.org 02 Aug '19

02 Aug '19

commit 2a34a082c587eb21e5880406a5fd6ac8c8425234 Author: Georg Koppen <gk(a)torproject.org> Date: Fri May 31 16:50:24 2019 +0000 Bug 30701: Adding node project --- projects/node/build | 24 ++++++++++++++++++++++++ projects/node/config | 17 +++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/projects/node/build b/projects/node/build new file mode 100644 index 0000000..0e6ca04 --- /dev/null +++ b/projects/node/build @@ -0,0 +1,24 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +[% IF c("var/linux") %] + # We need a link to our GCC, otherwise the system cc gets used which points to + # /usr/bin/gcc. + [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'), + hardened_gcc => 0 }) %] + ln -s gcc /var/tmp/dist/gcc/bin/cc + tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/binutils') %] + export PATH="/var/tmp/dist/binutils/bin:$PATH" +[% END -%] +distdir=/var/tmp/dist/[% project %] +tar -xf [% project %]-[% c('version') %].tar.xz +cd [% project %]-[% c('version') %] + +./configure --prefix=$distdir +make -j[% c("buildconf/num_procs") %] +make install + +cd /var/tmp/dist +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] diff --git a/projects/node/config b/projects/node/config new file mode 100644 index 0000000..e023380 --- /dev/null +++ b/projects/node/config @@ -0,0 +1,17 @@ +# vim: filetype=yaml sw=2 +version: v10.16.0 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' +var: + container: + use_container: 1 + +input_files: + - project: container-image + - project: binutils + name: binutils + enable: '[% c("var/linux") %]' + - project: '[% c("var/compiler") %]' + name: '[% c("var/compiler") %]' + enable: '[% c("var/linux") %]' + - URL: 'https://nodejs.org/download/release/[% c("version") %]/node-[% c("version") %].tar.xz' + sha256sum: 18e37f891d10ea7fbc8f6410c444c2b1d9cc3cbbb1d35aa9c41f761816956608

1 0

[tor-browser-build/master] Bug 30734: Add nasm project
by boklm＠torproject.org 02 Aug '19

02 Aug '19

commit 460d5ef80d2bb7ebf808574d21ec7fe43dd9dd01 Author: Georg Koppen <gk(a)torproject.org> Date: Sun Jun 2 20:33:22 2019 +0000 Bug 30734: Add nasm project --- projects/nasm/build | 24 ++++++++++++++++++++++++ projects/nasm/config | 17 +++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/projects/nasm/build b/projects/nasm/build new file mode 100644 index 0000000..0e6ca04 --- /dev/null +++ b/projects/nasm/build @@ -0,0 +1,24 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +[% IF c("var/linux") %] + # We need a link to our GCC, otherwise the system cc gets used which points to + # /usr/bin/gcc. + [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'), + hardened_gcc => 0 }) %] + ln -s gcc /var/tmp/dist/gcc/bin/cc + tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/binutils') %] + export PATH="/var/tmp/dist/binutils/bin:$PATH" +[% END -%] +distdir=/var/tmp/dist/[% project %] +tar -xf [% project %]-[% c('version') %].tar.xz +cd [% project %]-[% c('version') %] + +./configure --prefix=$distdir +make -j[% c("buildconf/num_procs") %] +make install + +cd /var/tmp/dist +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] diff --git a/projects/nasm/config b/projects/nasm/config new file mode 100644 index 0000000..ff82004 --- /dev/null +++ b/projects/nasm/config @@ -0,0 +1,17 @@ +# vim: filetype=yaml sw=2 +version: 2.14.02 +filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' +var: + container: + use_container: 1 + +input_files: + - project: container-image + - project: binutils + name: binutils + enable: '[% c("var/linux") %]' + - project: '[% c("var/compiler") %]' + name: '[% c("var/compiler") %]' + enable: '[% c("var/linux") %]' + - URL: 'https://www.nasm.us/pub/nasm/releasebuilds/[% c("version") %]/nasm-[% c("version") %].tar.xz' + sha256sum: e24ade3e928f7253aa8c14aa44726d1edf3f98643f87c9d72ec1df44b26be8f5

1 0

[chutney/master] Add the ability to mark a value as derived at runtime.
by teor＠torproject.org 01 Aug '19

01 Aug '19

commit fa0bc73beec21da3ed559f38ce9d09d3896adb70 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 14 14:35:28 2019 -0400 Add the ability to mark a value as derived at runtime. Some jobs, like parsing the obs4_bridgeline file, don't belong in Chutney. Fortunately, our template-and-environment system makes those easy to override. --- lib/chutney/TorNet.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/chutney/TorNet.py b/lib/chutney/TorNet.py index 1e7b1e4..2640e0c 100644 --- a/lib/chutney/TorNet.py +++ b/lib/chutney/TorNet.py @@ -278,6 +278,13 @@ class Node(object): def specialize(self, **kwargs): return Node(parent=self, **kwargs) + def set_runtime(self, key, fn): + """Specify a runtime function that gets invoked to find the + runtime value of a key. It should take a single argument, which + will be an environment. + """ + setattr(self._env, "_get_"+key, fn) + ###### # Chutney uses these:

1 0

[chutney/master] Allow nodes to be configured and launched by phase.
by teor＠torproject.org 01 Aug '19

01 Aug '19

commit f9a9d9614cd09466e490a71c5e1f3f5b44a9375c Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 14 14:01:27 2019 -0400 Allow nodes to be configured and launched by phase. We're going to need this for obfs4, for which we cannot initialize the client until the bridge has been running long enough to generate its keys. --- lib/chutney/TorNet.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/lib/chutney/TorNet.py b/lib/chutney/TorNet.py index e2fc613..1e7b1e4 100644 --- a/lib/chutney/TorNet.py +++ b/lib/chutney/TorNet.py @@ -922,6 +922,15 @@ DEFAULTS = { 'dns_conf': (os.environ.get('CHUTNEY_DNS_CONF', '/etc/resolv.conf') if 'CHUTNEY_DNS_CONF' in os.environ else None), + + # The phase at which this instance needs to be + # configured/launched, if we're doing multiphase + # configuration/launch. + 'config_phase' : 1, + 'launch_phase' : 1, + + 'CUR_CONFIG_PHASE': getenv_int('CHUTNEY_CONFIG_PHASE', 1), + 'CUR_LAUNCH_PHASE': getenv_int('CHUTNEY_LAUNCH_PHASE', 1), } @@ -1148,17 +1157,21 @@ class Network(object): n.getBuilder().checkConfig(self) def configure(self): - self.create_new_nodes_dir() + phase = self._dfltEnv['CUR_CONFIG_PHASE'] + if phase == 1: + self.create_new_nodes_dir() network = self altauthlines = [] bridgelines = [] - builders = [n.getBuilder() for n in self._nodes] + all_builders = [ n.getBuilder() for n in self._nodes ] + builders = [ b for b in all_builders + if b._env['config_phase'] == phase ] self._checkConfig() # XXX don't change node names or types or count if anything is # XXX running! - for b in builders: + for b in all_builders: b.preConfig(network) altauthlines.append(b._getAltAuthLines( self._dfltEnv['hasbridgeauth'])) @@ -1188,7 +1201,9 @@ class Network(object): # format polling correctly - avoid printing a newline sys.stdout.write("Starting nodes") sys.stdout.flush() - rv = all([n.getController().start() for n in self._nodes]) + rv = all([n.getController().start() for n in self._nodes + if n._env['launch_phase'] == + self._dfltEnv['CUR_LAUNCH_PHASE']]) # now print a newline unconditionally - this stops poll()ing # output from being squashed together, at the cost of a blank # line in wait()ing output

1 0

[chutney/master] Add a new templating feature to find files in PATH
by teor＠torproject.org 01 Aug '19

01 Aug '19

commit edc3cac54b37ae4620334736fbca91d2689b8d87 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 14 13:00:49 2019 -0400 Add a new templating feature to find files in PATH We'll use this to specify the location of a pluggable transport. --- lib/chutney/Templating.py | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/chutney/Templating.py b/lib/chutney/Templating.py index 1e97cbe..6560e25 100755 --- a/lib/chutney/Templating.py +++ b/lib/chutney/Templating.py @@ -230,7 +230,6 @@ class Environ(_DictWrapper): s.update(name[5:] for name in dir(self) if name.startswith("_get_")) return s - class IncluderDict(_DictWrapper): """Helper to implement ${include:} template substitution. Acts as a @@ -279,6 +278,33 @@ class IncluderDict(_DictWrapper): def getUpdateTime(self): return self._st_mtime +class PathDict(_DictWrapper): + """ + Implements ${path:} patterns, which map ${path:foo} to the location + of 'foo' in the PATH environment variable. + """ + def __init__(self, parent, path=None): + _DictWrapper.__init__(self, parent) + if path is None: + path = os.getenv('PATH').split(":") + self._path = path + + def _getitem(self, key, my): + if not key.startswith("path:"): + raise KeyError(key) + + key = key[len("path:"):] + + for location in self._path: + p = os.path.join(location, key) + try: + s = os.stat(p) + if s and s.st_mode & 0x111: + return p + except OSError: + pass + + raise KeyError(key) class _BetterTemplate(string.Template): @@ -355,6 +381,7 @@ class Template(object): values in the mapping 'values'. """ values = IncluderDict(values, self._includePath) + values = PathDict(values) orig_val = self._pat nIterations = 0 while True:

1 0

[chutney/master] Initial templates and network configurations for obfs4proxy.
by teor＠torproject.org 01 Aug '19

01 Aug '19

commit bbbbd9d928ba2defb6ca7363e684ed76897aa72c Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 14 13:10:04 2019 -0400 Initial templates and network configurations for obfs4proxy. The eagle-eyed reader will notice that this is using obfs2, not obfs4. We're doing that because obfs4 requires the client to have additional information that chutney doesn't (yet) have a channel to deliver. --- networks/bridges-obfs2 | 15 +++++++++++++++ torrc_templates/bridge-obfs2.tmpl | 6 ++++++ torrc_templates/bridgeclient-obfs2.tmpl | 3 +++ 3 files changed, 24 insertions(+) diff --git a/networks/bridges-obfs2 b/networks/bridges-obfs2 new file mode 100644 index 0000000..035be09 --- /dev/null +++ b/networks/bridges-obfs2 @@ -0,0 +1,15 @@ +# By default, Authorities are not configured as exits +Authority = Node(tag="a", authority=1, relay=1, torrc="authority.tmpl") +ExitRelay = Node(tag="r", relay=1, exit=1, torrc="relay.tmpl") +Client = Node(tag="c", client=1, torrc="client.tmpl") + +BridgeAuthority = Node(tag="ba", authority=1, bridgeauthority=1, + relay=1, torrc="bridgeauthority.tmpl") +Bridge = Node(tag="br", bridge=1, pt_bridge=1, relay=1, pt_transport="obfs2", + torrc="bridge-obfs2.tmpl") +BridgeClient = Node(tag="bc", client=1, bridgeclient=1, torrc="bridgeclient-obfs2.tmpl") + +NODES = Authority.getN(3) + BridgeAuthority.getN(1) + ExitRelay.getN(4) + \ + Bridge.getN(1) + Client.getN(1) + BridgeClient.getN(1) + +ConfigureNodes(NODES) diff --git a/torrc_templates/bridge-obfs2.tmpl b/torrc_templates/bridge-obfs2.tmpl new file mode 100644 index 0000000..80baf2c --- /dev/null +++ b/torrc_templates/bridge-obfs2.tmpl @@ -0,0 +1,6 @@ +${include:bridge.tmpl} + +ServerTransportPlugin obfs2 exec ${path:obfs4proxy} +ExtOrPort $extorport +ServerTransportListenAddr obfs2 ${ip}:${ptport} + diff --git a/torrc_templates/bridgeclient-obfs2.tmpl b/torrc_templates/bridgeclient-obfs2.tmpl new file mode 100644 index 0000000..37513bb --- /dev/null +++ b/torrc_templates/bridgeclient-obfs2.tmpl @@ -0,0 +1,3 @@ +${include:bridgeclient.tmpl} + +ClientTransportPlugin obfs2 exec ${path:obfs4proxy}

1 0

[chutney/master] Add some initial support for pluggable transports in TorNet
by teor＠torproject.org 01 Aug '19

01 Aug '19

commit ffd612b1f565a67e3a3bd2a43d41c015d560b74e Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 14 13:01:51 2019 -0400 Add some initial support for pluggable transports in TorNet We can now configure extorports and pt ports, and we can make a sort-of-plausible bridge line. We will need more work to get an actually correct bridge line, since 1) we need to copy the 'cert' field out of the obfs state directory, and 2) we will need to start the bridge before we can configure the client, which is not how we usually do things. --- lib/chutney/TorNet.py | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/lib/chutney/TorNet.py b/lib/chutney/TorNet.py index 16f4345..e2fc613 100644 --- a/lib/chutney/TorNet.py +++ b/lib/chutney/TorNet.py @@ -633,11 +633,20 @@ class LocalNodeBuilder(NodeBuilder): if not self._env['bridge']: return "" - bridgelines = "Bridge %s:%s\n" % (self._env['ip'], - self._env['orport']) + if self._env['pt_bridge']: + port = self._env['ptport'] + transport = self._env['pt_transport'] + else: + port = self._env['orport'] + transport = "" + + bridgelines = "Bridge %s %s:%s\n" % (transport, + self._env['ip'], + port) if self._env['ipv6_addr'] is not None: - bridgelines += "Bridge %s:%s\n" % (self._env['ipv6_addr'], - self._env['orport']) + bridgelines += "Bridge %s %s:%s\n" % (transport, + self._env['ipv6_addr'], + port) return bridgelines @@ -861,6 +870,8 @@ DEFAULTS = { 'hasbridgeauth': False, 'relay': False, 'bridge': False, + 'pt_bridge': False, + 'pt_transport' : "", 'hs': False, 'hs_directory': 'hidden_service', 'hs-hostname': None, @@ -879,6 +890,8 @@ DEFAULTS = { 'dirport_base': 7000, 'controlport_base': 8000, 'socksport_base': 9000, + 'extorport_base' : 9500, + 'ptport_base' : 9900, 'authorities': "AlternateDirAuthority bleargh bad torrc file!", 'bridges': "Bridge bleargh bad torrc file!", 'core': True, @@ -968,6 +981,12 @@ class TorEnviron(chutney.Templating.Environ): def _get_dirport(self, my): return my['dirport_base'] + my['nodenum'] + def _get_extorport(self, my): + return my['extorport_base'] + my['nodenum'] + + def _get_ptport(self, my): + return my['ptport_base'] + my['nodenum'] + def _get_dir(self, my): return os.path.abspath(os.path.join(my['net_base_dir'], "nodes",

1 0