possible or do I have to ask my hosting company for the install on a shared server?
Markus
Like a portable version so ?
Windows, Linux, which operating system are you using ?
On Linux world, I'm usually using Debian and as I know you will need a root access to the server. It will create a debian-tor group, write into the system...
Or if your user is in the "sudo" group, it can be ok.
On windows, I'm not sure if there's a portable version of Tor... portable = no need to install
Le 25/05/2016 10:03, Markus Koch a écrit :
possible or do I have to ask my hosting company for the install on a shared server?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Linux, would like to upgrade my accounts at feralhosting.com with tor nodes. It must be possible because there are a lot of TOR nodes on feral. No clue what kind of linux they are using but you are right, I needed root for my other 6 TOR servers and I am just wondering if there is a way around it, if not I just ask them to install it for me :)
Markus
2016-05-25 10:10 GMT+02:00 Petrusko petrusko@riseup.net:
Like a portable version so ?
Windows, Linux, which operating system are you using ?
On Linux world, I'm usually using Debian and as I know you will need a root access to the server. It will create a debian-tor group, write into the system...
Or if your user is in the "sudo" group, it can be ok.
On windows, I'm not sure if there's a portable version of Tor... portable = no need to install
Le 25/05/2016 10:03, Markus Koch a écrit :
possible or do I have to ask my hosting company for the install on a shared server?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Am 25.05.2016 um 10:16 schrieb Markus Koch:
Linux, would like to upgrade my accounts at feralhosting.com with tor nodes. It must be possible because there are a lot of TOR nodes on feral. No clue what kind of linux they are using but you are right, I needed root for my other 6 TOR servers and I am just wondering if there is a way around it, if not I just ask them to install it for me :)
tor does not require root permission to be run properly. I just started it as user on my debian maschine. Make sure not to use port numbers below 1025.
Sebastian
Thank you. What about the config filez in /etc/tor/ ... /etc/ should be root only?
Sent from my iPad
On 25 May 2016, at 10:24, Sebastian Niehaus niehaus@web.de wrote:
Am 25.05.2016 um 10:16 schrieb Markus Koch: Linux, would like to upgrade my accounts at feralhosting.com with tor nodes. It must be possible because there are a lot of TOR nodes on feral. No clue what kind of linux they are using but you are right, I needed root for my other 6 TOR servers and I am just wondering if there is a way around it, if not I just ask them to install it for me :)
tor does not require root permission to be run properly. I just started it as user on my debian maschine. Make sure not to use port numbers below 1025.
Sebastian
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 25 May 2016, at 05:46, Sebastian Niehaus niehaus@web.de wrote:
Am 25.05.2016 um 10:28 schrieb Markus Koch:
Thank you. What about the config filez in /etc/tor/ ... /etc/ should be root only?
The user runnng tor must be able to read them. $DataDir has to be rw
There torrc file can be in a read-only location and is -f on the command-line. The other read-only files all have individual config options that allow you to place them in /etc. The default tor DataDirectory is read-write and in /var.
You can put these all in your user directory if you want, just change the tor startup script and torrc.
Tim
Sebastian
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
Hi Markus,
on your hint I was just checking feralhosting.com. They are quoting:
"We do not allow Tor exit nodes to be run on our servers. They're open invitations for trouble, and while Tor serves a useful purpose our network is not the place for it. Tor relays are fine provided they strictly only act as an intermediary.
We will make an exception to this rule if you bring your own RIPE IPs and handle abuse directly while taking full responsibility. "
Is this your experience as well?
Paul
Am 25.05.2016 um 10:16 schrieb Markus Koch:
Linux, would like to upgrade my accounts at feralhosting.com with tor nodes. It must be possible because there are a lot of TOR nodes on feral. No clue what kind of linux they are using but you are right, I needed root for my other 6 TOR servers and I am just wondering if there is a way around it, if not I just ask them to install it for me :)
Markus
2016-05-25 10:10 GMT+02:00 Petrusko petrusko@riseup.net:
Like a portable version so ?
Windows, Linux, which operating system are you using ?
On Linux world, I'm usually using Debian and as I know you will need a root access to the server. It will create a debian-tor group, write into the system...
Or if your user is in the "sudo" group, it can be ok.
On windows, I'm not sure if there's a portable version of Tor... portable = no need to install
Le 25/05/2016 10:03, Markus Koch a écrit :
possible or do I have to ask my hosting company for the install on a shared server?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
My experience is: This is the best hosting companyI ever had and I am doing this for over 20 years. I will not run an exit node and I am sure I will be fine.Btw, there are already alot of hight traffic non exit nodes running on feral.
Markus
PS: I am not working for feral and I am not a family member or any other connection :)
2016-05-25 12:55 GMT+02:00 pa011 pa011@web.de:
Hi Markus,
on your hint I was just checking feralhosting.com. They are quoting:
"We do not allow Tor exit nodes to be run on our servers. They're open invitations for trouble, and while Tor serves a useful purpose our network is not the place for it. Tor relays are fine provided they strictly only act as an intermediary.
We will make an exception to this rule if you bring your own RIPE IPs and handle abuse directly while taking full responsibility. "
Is this your experience as well?
Paul
Am 25.05.2016 um 10:16 schrieb Markus Koch:
Linux, would like to upgrade my accounts at feralhosting.com with tor nodes. It must be possible because there are a lot of TOR nodes on feral. No clue what kind of linux they are using but you are right, I needed root for my other 6 TOR servers and I am just wondering if there is a way around it, if not I just ask them to install it for me :)
Markus
2016-05-25 10:10 GMT+02:00 Petrusko petrusko@riseup.net:
Like a portable version so ?
Windows, Linux, which operating system are you using ?
On Linux world, I'm usually using Debian and as I know you will need a root access to the server. It will create a debian-tor group, write into the system...
Or if your user is in the "sudo" group, it can be ok.
On windows, I'm not sure if there's a portable version of Tor... portable = no need to install
Le 25/05/2016 10:03, Markus Koch a écrit :
possible or do I have to ask my hosting company for the install on a shared server?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
So just out of curiosity: if a lot of relays run on hardware of a single hosting company, that hosting company has access to many secret keys, which might be an interesting attack vector for an adversary.
Given that these nodes have a different administrator, MyFamily won't be set.
Does the relay selection algo take this into account in any way?
Greetings! Op 25 mei 2016 7:45 p.m. schreef "Markus Koch" niftybunny@googlemail.com:
My experience is: This is the best hosting companyI ever had and I am doing this for over 20 years. I will not run an exit node and I am sure I will be fine.Btw, there are already alot of hight traffic non exit nodes running on feral.
Markus
PS: I am not working for feral and I am not a family member or any other connection :)
2016-05-25 12:55 GMT+02:00 pa011 pa011@web.de:
Hi Markus,
on your hint I was just checking feralhosting.com. They are quoting:
"We do not allow Tor exit nodes to be run on our servers. They're open invitations for trouble, and while Tor serves a useful purpose our network is not the place for it. Tor relays are fine provided they strictly only act as an intermediary.
We will make an exception to this rule if you bring your own RIPE IPs and handle abuse directly while taking full responsibility. "
Is this your experience as well?
Paul
Am 25.05.2016 um 10:16 schrieb Markus Koch:
Linux, would like to upgrade my accounts at feralhosting.com with tor nodes. It must be possible because there are a lot of TOR nodes on feral. No clue what kind of linux they are using but you are right, I needed root for my other 6 TOR servers and I am just wondering if there is a way around it, if not I just ask them to install it for me :)
Markus
2016-05-25 10:10 GMT+02:00 Petrusko petrusko@riseup.net:
Like a portable version so ?
Windows, Linux, which operating system are you using ?
On Linux world, I'm usually using Debian and as I know you will need a root access to the server. It will create a debian-tor group, write into the system...
Or if your user is in the "sudo" group, it can be ok.
On windows, I'm not sure if there's a portable version of Tor... portable = no need to install
Le 25/05/2016 10:03, Markus Koch a écrit :
possible or do I have to ask my hosting company for the install on a shared server?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The hosting staff in every hosting company has physical access to the servers (even dedicated) and if you have physical access to a server think about it as compromised.
I dont really see the difference between shared hosting and my other bare metal servers. As a CCNP I can compromise them both without much hassle with physical access to them.
It´s not: Shared hosting = sharing my private keys to the world.
Markus
2016-05-25 21:02 GMT+02:00 Nils Vogels bacardicoke@gmail.com:
So just out of curiosity: if a lot of relays run on hardware of a single hosting company, that hosting company has access to many secret keys, which might be an interesting attack vector for an adversary.
Given that these nodes have a different administrator, MyFamily won't be set.
Does the relay selection algo take this into account in any way?
Greetings!
Op 25 mei 2016 7:45 p.m. schreef "Markus Koch" niftybunny@googlemail.com:
My experience is: This is the best hosting companyI ever had and I am doing this for over 20 years. I will not run an exit node and I am sure I will be fine.Btw, there are already alot of hight traffic non exit nodes running on feral.
Markus
PS: I am not working for feral and I am not a family member or any other connection :)
2016-05-25 12:55 GMT+02:00 pa011 pa011@web.de:
Hi Markus,
on your hint I was just checking feralhosting.com. They are quoting:
"We do not allow Tor exit nodes to be run on our servers. They're open invitations for trouble, and while Tor serves a useful purpose our network is not the place for it. Tor relays are fine provided they strictly only act as an intermediary.
We will make an exception to this rule if you bring your own RIPE IPs and handle abuse directly while taking full responsibility. "
Is this your experience as well?
Paul
Am 25.05.2016 um 10:16 schrieb Markus Koch:
Linux, would like to upgrade my accounts at feralhosting.com with tor nodes. It must be possible because there are a lot of TOR nodes on feral. No clue what kind of linux they are using but you are right, I needed root for my other 6 TOR servers and I am just wondering if there is a way around it, if not I just ask them to install it for me :)
Markus
2016-05-25 10:10 GMT+02:00 Petrusko petrusko@riseup.net:
Like a portable version so ?
Windows, Linux, which operating system are you using ?
On Linux world, I'm usually using Debian and as I know you will need a root access to the server. It will create a debian-tor group, write into the system...
Or if your user is in the "sudo" group, it can be ok.
On windows, I'm not sure if there's a portable version of Tor... portable = no need to install
Le 25/05/2016 10:03, Markus Koch a écrit :
possible or do I have to ask my hosting company for the install on a shared server?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
@Nils
Tor path selection avoids using relays from the same /16 subnet, and I thought it considered the Autonomous System (AS) as well. However now I'm not finding concrete evidence that path selection looks at AS. I found some older academic papers on the subject [1], but nothing in the current specification [2].
Avoiding using two nodes from the same AS would seemingly go a long way toward mitigating the attack vector you mentioned though.
1) http://freehaven.net/anonbib/cache/DBLP:conf/ccs/EdmanS09.pdf
2) https://gitweb.torproject.org/torspec.git/plain/path-spec.txt
@Green
Could please explain a bit more what you mean by "Avoiding using two nodes from the same AS would seemingly go a long way toward mitigating the attack vector you mentioned though."
Thanks Paul
Am 25.05.2016 um 21:22 schrieb Green Dream:
@Nils
Tor path selection avoids using relays from the same /16 subnet, and I thought it considered the Autonomous System (AS) as well. However now I'm not finding concrete evidence that path selection looks at AS. I found some older academic papers on the subject [1], but nothing in the current specification [2].
Avoiding using two nodes from the same AS would seemingly go a long way toward mitigating the attack vector you mentioned though.
http://freehaven.net/anonbib/cache/DBLP:conf/ccs/EdmanS09.pdf
https://gitweb.torproject.org/torspec.git/plain/path-spec.txt
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
@Paul: sure. Nils pointed out that a lot of relays using the same hosting provider could be an attack vector, because the provider would be a single point where all the relays' secret keys could be collected. My point is that if you look at the AS (Autonomous System) Number, it's normally the same for all the hosting provider's servers in that country. So if Tor path selection looks at the AS, and avoids building a circuit that uses two nodes from the same AS, this attack vector basically goes away. It's worth noting if you weren't already aware, both Atlas and Globe display the AS Number for every relay.
@Green Thank you - couldn’t handle 'attack vector' as a synonym for ""method or type of attack" :-)
Additional to that is it clever for a supporter of TOR to to run more than one Relay (Exit) with a single ISP or even AS https://en.wikipedia.org/wiki/Autonomous_system_(Internet) or does this build a kind of new attack vector?
Am 25.05.2016 um 22:22 schrieb Green Dream:
@Paul: sure. Nils pointed out that a lot of relays using the same hosting provider could be an attack vector, because the provider would be a single point where all the relays' secret keys could be collected. My point is that if you look at the AS (Autonomous System) Number, it's normally the same for all the hosting provider's servers in that country. So if Tor path selection looks at the AS, and avoids building a circuit that uses two nodes from the same AS, this attack vector basically goes away. It's worth noting if you weren't already aware, both Atlas and Globe display the AS Number for every relay.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
In case it helps, here is a paper describing vulenrability of different classes of Tor user behavior to AS, Internet Exchange Point, and Tor relay or relay family adversaries. http://www.nrl.navy.mil/itd/chacs/biblio/users-get-routed-traffic-correlatio...
Note that doing AS-aware routing so as to improve security is a fairly active area of research. Nonetheless, I think the original point about hosting providers having physical access to hardware with keys from many independently-run relays has not been amongst the considerations. It is countered somewhat by even current Tor's default routing algorithm that prevents choosing relays in the same circuit from the same family but also from the same range of IP addresses. But it hasn't been scrutinized specifically as far as I know.
And here is a paper giving a framework to be able and talk about and use expectations of adversaries at the above places, and on undersea cables, via mutual legal assistance treaties, etc. (Note that this is research. It is some years away from anything like this being deployed in Tor. And trying to design trust policies and routing algorithms for your own Tor traffic is not something even an expert should try at this stage of development.) http://www.nrl.navy.mil/itd/chacs/jaggard-20000-league-under-sea-anonymous-c...
HTH, Paul
On Wed, May 25, 2016 at 10:41:22PM +0200, pa011 wrote:
@Green Thank you - couldn’t handle 'attack vector' as a synonym for ""method or type of attack" :-)
Additional to that is it clever for a supporter of TOR to to run more than one Relay (Exit) with a single ISP or even AS https://en.wikipedia.org/wiki/Autonomous_system_(Internet) or does this build a kind of new attack vector?
Am 25.05.2016 um 22:22 schrieb Green Dream:
@Paul: sure. Nils pointed out that a lot of relays using the same hosting provider could be an attack vector, because the provider would be a single point where all the relays' secret keys could be collected. My point is that if you look at the AS (Autonomous System) Number, it's normally the same for all the hosting provider's servers in that country. So if Tor path selection looks at the AS, and avoids building a circuit that uses two nodes from the same AS, this attack vector basically goes away. It's worth noting if you weren't already aware, both Atlas and Globe display the AS Number for every relay.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Markus Koch:
possible or do I have to ask my hosting company for the install on a shared server?
I think it would not be recommended on a shared server for reasons ranging from less-private privkeys to a company that sells shared hosting probably wont be letting you run a relay in the first place. But yes, tor should be able to run fine without root.
Nice to know Tor can run without any root account!
Thx all
Le 25/05/2016 à 11:41, ncl@cock.li a écrit :
Markus Koch:
possible or do I have to ask my hosting company for the install on a shared server?
I think it would not be recommended on a shared server for reasons ranging from less-private privkeys to a company that sells shared hosting probably wont be letting you run a relay in the first place. But yes, tor should be able to run fine without root. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Green Dream -
Markus Koch -
ncl@cock.li -
Nils Vogels -
pa011 -
Paul Syverson -
Petrusko -
Sebastian Niehaus -
Tim Wilson-Brown - teor