- tor-relays - lists.torproject.org

too many circuit creation requests
by trshck_tor＠riseup.net 24 Oct '15

24 Oct '15

Hi all, I set up a new tor relay named trshck using a raspberry pi a few days ago. All was going fine until early today, when a lot of warning have started appearing in the log file: "[warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy." I've looked up this message and found some comments but nothing clear about how to solve the issue. I think this can be related with the recent acquisition of the HSDir flag. The relay is not configured to be an exit node. The number of open circuits has greatly increase in the last few hours: "Circuit handshake stats since last time: 4860/4984 TAP, 228464/229242 NTor." MaxAdvertisedBandwidth is not set, only: "RelayBandwidthRate 200 KB RelayBandwidthBurst 300 KB" What do you advice me to do? Regards, Joan Terrassa Hacklab

3 2

ntpd problems explanation
by I 23 Oct '15

23 Oct '15

2 2

Re: [tor-relays] Tor node break-in attempts
by starlight.2015q3＠binnacle.cx 23 Oct '15

23 Oct '15

> > Attack counts are in the 100,000s. > This sort of thing posses no threat and is quite stupid as previously observed. Is mainly annoying for the mess it makes of /var/log/security. If you don't want to change the SSH port (best solution IMO), here's an 'iptables' rule that will fix it (adjust/rearrange as needed/desired). These lines assume they will go in /etc/sysconfig/iptables. You can run them manually by prefixing with the 'ipbables' command. I wrote this without looking at the default 'iptables' file for any distro and if you are using one, revise accordingly or rename the original and start from scratch. -N input_eth0 -A INPUT -i eth0 -j input_eth0 -A input_eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACK -j DROP -A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --set --name SSH_ATTACK -j ACCEPT ========== Because we all make mistakes, you should *TEST* the rule by KEEPING A LIVE CONNECTION active and logging in a second time or you may lock yourself out of your server. Use iptables -nvL to display the counters and look for the lock-out effect after 'hitcount' attempts. Also look in cat /proc/net/xt_recent/SSH_ATTACK for the login tries and lock-out. You can clear an IP with echo "-x.x.x.x" >>/proc/net/xt_recent/SSH_ATTACK ========== If you want a bigger hash table and more history than the default, you can create /etc/modprobe.d/xt_recent.conf and put something like options xt_recent ip_list_tot=16384 ip_pkt_list_tot=255 in it. ========== Some documentation at http://linux.die.net/man/8/iptables

1 0

Tor node break-in attempts
by Larry Brandt 22 Oct '15

22 Oct '15

Hello, I need some advise on a situation new to me. I operate a VPS exit node in Romania, a VPS guard node in the Czech Republic, a middle node and bridge in the US. All are SSH public key authentication protocol 2. Over the last 5 weeks all of these servers have been under attack by IPs in the range 43.229.52.00 to 43.229.55.255. Maybe 24 different IP addresses. I have contacted the operator in Hong Kong on four different occasions but I've received no relief from the attempted attacks nor have they communicated back to me--as I have requested. Attack counts are in the 100,000s. I have no personal information stored on any of these servers--only public info via Tor is available. And then, how the hell did they get the address of my bridge? I see break-in attempts all the time but never at this volume. The break-in attempts have been thwarted to date and will probably remain so. But I find the situation disconcerting and irritating. Should I ignore these efforts? Should I send abuse reports to someone? Who? Any sage advice out there? Did I give away any secure info just now? lol LB

3 2

Re: [tor-relays] Optimizing TOR Relay
by Volker Mink 22 Oct '15

22 Oct '15

Here we go. Thats the input i needed. Regarding to >> https://atlas.torproject.org/#details/E20FF09A9A800B16C1C7C16E8C0DF95F46F64… my advertised Bandwith is 681.33 KB/s , which is little more than 5MBps. So its kinda "maxed out" . > On 22 Oct 2015, at 01:42, 12xBTM <12xbtm(a)gmail.com> wrote: > > Here's your problem: > >> On 21.10.15 8:20, Volker Mink wrote: >> Upstream 5 MBps Tor bandwidth usage is more or less symmetric upstream / downstream. So you'll only ever get 5Mbps or less of tor traffic out of this connection. Tim

1 0

Re: [tor-relays] Optimizing TOR Relay
by Volker Mink 21 Oct '15

21 Oct '15

Its a Pi1, model B with 512MB RAM. RelayBandwidthRate 10000 KB # Throttle traffic to 1000KB/s (800Kbps) RelayBandwidthBurst 20000 KB # But allow bursts up to 2000KB/s (1600Kbps) MaxAdvertisedBandwidth 10000 KB (anything to change here?) I have a 60MBit Internet Connection at home with a static IP-Adress. Downstream about 65MBps, Upstream 5 MBps. Message: 1 Date: Tue, 20 Oct 2015 20:10:44 -0400 From: 12xBTM <12xbtm(a)gmail.com> To: tor-relays(a)lists.torproject.org Subject: Re: [tor-relays] Optimizing TOR Relay Message-ID: <5626D804.7070306(a)gmail.com> Content-Type: text/plain; charset=windows-1252 If this is a raspberry pi 2, set in Torrc: "NumCPUs 4" What is your advertised bandwidth? I can personally say that a RPi2 has no trouble moving 20Mbps, which would run you a ~50Mbps connection to get that kind of utilization. If you're talking about a RPi1, you don't have enough bandwidth dedicated to get the usage you want. On 20.10.15 8:08, Volker Mink wrote: > -now without HTML- > > Hi Folks. > > Some Stats: > fingerprint: E20FF09A9A800B16C1C7C16E8C0DF95F46F649B0 > cpu: 0.0% tor, 12.3% arm mem: 149 MB (34.4%) pid: 2200 > cpu: 20.0% tor, 10.2% arm mem: 149 MB (34.4%) pid: 2200 > > load average: 0,30, 0,36, 0,33 > %Cpu(s): 18,0 us, 3,1 sy, 0,0 ni, 75,3 id, 0,2 wa, 0,0 hi, 3,5 si, 0,0 st > KiB Mem: 445044 total, 349348 used, 95696 free, 79872 buffers > KiB Swap: 102396 total, 0 used, 102396 free, 119044 cached > > 2200 debian-t 20 0 168m 149m 42m R 23,4 34,5 940:35.09 tor > > This looks like my raspberry is more on idle than serving the TOR network. How can i improve this? > Bandwith limit is more than my internet connection can cover. > > Starting another tor-process? How to manage this? > Editing some Lines in the torrc-file to speed it up? > > Help is appreciated. > Kind regards, > volker > _______________________________________________ > tor-relays mailing list > tor-relays(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >

4 3

webiron requesting to block several /24 subnet
by Dhalgren Tor 21 Oct '15

21 Oct '15

>snake oil service like webiron A most excellent characterization! As a sales maneuver WebIron has been grandstanding for months saying that Tor operators are "unwilling to cleanup" when they know full-well that tor operators can not / should not filter traffic due to minor brute- force login attempts. For contrast, Fail2ban in 2012 was modified to silently block login attacks without spamming Tor operators in a reasonable gesture of politeness. SSH brute-force attacks have been a fact-of-life for 20 years. Hardly anyone thinks it worth the effort to spam abuse@ desks over it when a simple rate-limit does the job nicely. WebIron has become so obnoxious that Spamhaus placed their domain on the Domain Block List last Friday http://www.spamhaus.org/query/dbl?domain=webiron.com and in addition, the IP of their reporting system appears on the Spamhaus snow-shoe list and thereby on the big-bazooka Zen DNSBL. http://multirbl.valli.org/lookup/23.239.20.29.html Spamhaus is highly conservative, highly respected and only lists egregious unrepentant abusers. The only reason to comply is in deference to the overworked abuse-desk of your ISP if they do not have an automated system for dealing with this nonsense.

1 0

Optimizing TOR Relay
by Volker Mink 21 Oct '15

21 Oct '15

-now without HTML- Hi Folks. Some Stats: fingerprint: E20FF09A9A800B16C1C7C16E8C0DF95F46F649B0 cpu: 0.0% tor, 12.3% arm mem: 149 MB (34.4%) pid: 2200 cpu: 20.0% tor, 10.2% arm mem: 149 MB (34.4%) pid: 2200 load average: 0,30, 0,36, 0,33 %Cpu(s): 18,0 us, 3,1 sy, 0,0 ni, 75,3 id, 0,2 wa, 0,0 hi, 3,5 si, 0,0 st KiB Mem: 445044 total, 349348 used, 95696 free, 79872 buffers KiB Swap: 102396 total, 0 used, 102396 free, 119044 cached 2200 debian-t 20 0 168m 149m 42m R 23,4 34,5 940:35.09 tor This looks like my raspberry is more on idle than serving the TOR network. How can i improve this? Bandwith limit is more than my internet connection can cover. Starting another tor-process? How to manage this? Editing some Lines in the torrc-file to speed it up? Help is appreciated. Kind regards, volker

3 2

Re: [tor-relays] Exit policy reject fails
by spiros_spiros＠freemail.gr 20 Oct '15

20 Oct '15

Hi Josef, I think you must put any reject entries above the accept because the rules read from top to bottom. Also, I don't know if this make any difference at all, but I also put port in my torrc like this : ExitPolicy reject 195.113.0.0/16:* #comment here S On 19 Oct 2015, at 22:03, Josef Stautner <hello(a)veloc1ty.de> wrote: Hello @all, I have a probleme with an reject rule which seems to fail. Due to an message from WebIron against my exit relay I wanted to block a subnet. My exit policy looks like this: ExitPolicy accept *:53 # DNS ExitPolicy accept *:80 # HTTP ExitPolicy accept *:8080 # HTTP 2 ExitPolicy accept *:443 # HTTPS ExitPolicy reject 5.133.182.0/24 # WebIron report ExitPolicy reject *:* After I added the reject rule I reloaded tor and thought the case is done. But WebIron keeps sending me messages because of "ongoing attacks" against a host in that subnet. Of course I trusted the reject rule and ignored them. After the 6th mail I got suspicious and added an iptables ACCEPT rule in my OUTPUT chain to have a look if there is really a traffic flow. I just received another mail and checked the packet counter: Chain OUTPUT (policy ACCEPT 116M packets, 159G bytes) num pkts bytes target prot opt in out source destination 2 142 8304 ACCEPT all -- * * 31.220.45.6/32 5.133.182.0/24 /* WebIron Block check */ There is traffic flowing from my relay IP 31.220.45.6 to the subnet. Can somebody please hint me what I'm doing wrong? Link to the relay in case you need more information: https://atlas.torproject.org/#details/29E3D95332812F81F67FF31B3B1B842683D1C… Thanks in advance, ~Josef _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

3 2

Optimizing TOR-Relay
by Volker Mink 20 Oct '15

20 Oct '15

1 0