Any tips for UK Exit Node operators on a Residential ISP (BT)? Running a reduced exit policy, informed various teams at the ISP, running PeerGuardian on the server in question (blocking P2P/kiddyporn/hacking related IPs), have a hostname setup tor-relay.itschip.com, planning to leave the thing running 24/7 So far, it's been live on and off (ironing out issues) for the past few days and it's transferred well in excess of 300GB already. Looks like I'm one of the fastest Exit Nodes in the UK c:
On 2014-07-06 07:06, Michael Banks wrote:
Any tips for UK Exit Node operators on a Residential ISP (BT)?
I would be EXTREMELY careful in running an exit on a residential location. There is no way for you to prove that it was not you causing that connection but the Tor process causing that connection and thus some 'other' user. The UK government has all kinds of regulations/systems in place to protect children and to enforce copyright laws. They are also known to index/analyze all traffic. You might want to consider changing that into a relay instead as then you at least are not reaching out to a "scary" host (unless it also runs Tor). Also: 150.57.130.86.in-addr.arpa PTR host86-130-57-150.range86-130.btcentralplus.com. As such, it looks just like any other link, it has no relation to tor-relay.itschip.com at all. Except for folks with access to dnsdb, which law enforcement typically does have, but as DNS is not used in Tor, it is all irrelevant. Greets, Jeroen
Advice taken I was debating to switch over to relay-only or not. I must note, the Tor node is on it's own address, under a residential contract. I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node. I have tor-relay.itschip.com set in torrc.. guess I have to fiddle with more things? Anyone with Debian experience who can help in that field? On 06/07/2014 07:24, Jeroen Massar wrote:
On 2014-07-06 07:06, Michael Banks wrote:
Any tips for UK Exit Node operators on a Residential ISP (BT)? I would be EXTREMELY careful in running an exit on a residential location.
There is no way for you to prove that it was not you causing that connection but the Tor process causing that connection and thus some 'other' user.
The UK government has all kinds of regulations/systems in place to protect children and to enforce copyright laws. They are also known to index/analyze all traffic.
You might want to consider changing that into a relay instead as then you at least are not reaching out to a "scary" host (unless it also runs Tor).
Also:
150.57.130.86.in-addr.arpa PTR host86-130-57-150.range86-130.btcentralplus.com.
As such, it looks just like any other link, it has no relation to tor-relay.itschip.com at all. Except for folks with access to dnsdb, which law enforcement typically does have, but as DNS is not used in Tor, it is all irrelevant.
Greets, Jeroen _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sun, Jul 6, 2014 at 3:14 PM, Michael Banks <c@starbs.net> wrote:
I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node.
If you are using PeerGuardian to filter Tor traffic, that is sub-optimal. The main reason that many people use Tor is precisely that their traffic is filtered, and blocking "malicious IPs". Substituting your judgements for those of their Govt might be an improvement, or not. As Tor has no way of knowing what you will block, traffic via your node will fail, but circuits will continue being created. -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sun, Jul 6, 2014 at 3:39 PM, Michael Banks <c@starbs.net> wrote:
The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses
True, and I agree with your definition of malicious. My concern is that it is not either my place, or yours, to define what is good or bad for the Random User to visit, _IF_ we are offering a Tor relay. Our intentions in using this list, in particular, are not relevant. After all, the Govt of China also claims to be shielding its users from known bad guys. We are against such censorship, so why should we add our own blocks, without warning, without anyway for the user to even know we have such a block? -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane
On 07/06/2014 09:39 AM, Michael Banks wrote:
The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses
Please do not run PeerGuardian or any other blacklist. These lists are part of the problem, and in no way a solution. As stated earlier in this thread, it will break stuff. These lists are never up to date and always contain false information. It is your exit, you can indeed block IPs, but please do it on the level of ExitPolicy. In your world maybe "government-owned addresses" are a bad thing. For me and many other Tor users certainly not. You're free to run an exit on a residential line, but I doubt that your ISP will like the abuse complaints. You will likely get kicked off your contract sooner or later. Also, a residential ISP will not forward abuse complaints or even tell you about them, so there is no way for you to explain yourself. -- Moritz Bartl https://www.torservers.net/
In effect, as Moritz said (and Roman also tried to say) it's necessary for navigation over Tor, that every Exit Possibility/Restriction are listed into your Exit Policy. If your Exit Node is not going to connect to a given website, it's fine, but the Tor Client have to know it, in order to automatically choose another Exit to reach the destination. For Tor Exit Node on a residential DSL line, because I love challenges, I've done this in the past, from August 2013 to end of December 2013, with unlimited exit policy ;) on a Raspberry Pi. May be I was lucky but apart from 1 copyright infrigement (French "Hadopi" the second week), I never had any problem, and in such case the situation is not very comlicated to handle (you simply explain). If you're like me you will have no problem by thinking your Internet connexion have great chance to be looked by your ISP and/or bigger instition : it's part of the challenge, and a challenge is interesting when almost no one is plucky enough to do what you're going to do ;) In order to get your participation to last a long time, it's usefull to run your node on a dedicated machine, while you can focus on your hobbies and use your computer/desktop as before. Best regards, Julien ROBIN ----- Mail original ----- De: "Moritz Bartl" <moritz@torservers.net> À: tor-relays@lists.torproject.org Envoyé: Dimanche 6 Juillet 2014 14:41:23 Objet: Re: [tor-relays] UK Exit Node On 07/06/2014 09:39 AM, Michael Banks wrote:
The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses
Please do not run PeerGuardian or any other blacklist. These lists are part of the problem, and in no way a solution. As stated earlier in this thread, it will break stuff. These lists are never up to date and always contain false information. It is your exit, you can indeed block IPs, but please do it on the level of ExitPolicy. In your world maybe "government-owned addresses" are a bad thing. For me and many other Tor users certainly not. You're free to run an exit on a residential line, but I doubt that your ISP will like the abuse complaints. You will likely get kicked off your contract sooner or later. Also, a residential ISP will not forward abuse complaints or even tell you about them, so there is no way for you to explain yourself. -- Moritz Bartl https://www.torservers.net/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Node's on a dedicated machine, I have a couple of RasPis kicking about, might spin up nodes on them too. ~Chip On 06/07/2014 14:48, Julien ROBIN wrote:
In effect, as Moritz said (and Roman also tried to say) it's necessary for navigation over Tor, that every Exit Possibility/Restriction are listed into your Exit Policy. If your Exit Node is not going to connect to a given website, it's fine, but the Tor Client have to know it, in order to automatically choose another Exit to reach the destination.
For Tor Exit Node on a residential DSL line, because I love challenges, I've done this in the past, from August 2013 to end of December 2013, with unlimited exit policy ;) on a Raspberry Pi. May be I was lucky but apart from 1 copyright infrigement (French "Hadopi" the second week), I never had any problem, and in such case the situation is not very comlicated to handle (you simply explain).
If you're like me you will have no problem by thinking your Internet connexion have great chance to be looked by your ISP and/or bigger instition : it's part of the challenge, and a challenge is interesting when almost no one is plucky enough to do what you're going to do ;)
In order to get your participation to last a long time, it's usefull to run your node on a dedicated machine, while you can focus on your hobbies and use your computer/desktop as before.
Best regards, Julien ROBIN
----- Mail original ----- De: "Moritz Bartl" <moritz@torservers.net> À: tor-relays@lists.torproject.org Envoyé: Dimanche 6 Juillet 2014 14:41:23 Objet: Re: [tor-relays] UK Exit Node
On 07/06/2014 09:39 AM, Michael Banks wrote:
The block lists are very limited, i.e P2P, lists of known blackhats/paedophiles, unallocated IP ranges and most importantly: government-owned address and anti-tor addresses Please do not run PeerGuardian or any other blacklist. These lists are part of the problem, and in no way a solution. As stated earlier in this thread, it will break stuff. These lists are never up to date and always contain false information.
It is your exit, you can indeed block IPs, but please do it on the level of ExitPolicy.
In your world maybe "government-owned addresses" are a bad thing. For me and many other Tor users certainly not.
You're free to run an exit on a residential line, but I doubt that your ISP will like the abuse complaints. You will likely get kicked off your contract sooner or later. Also, a residential ISP will not forward abuse complaints or even tell you about them, so there is no way for you to explain yourself.
On 2014-07-06 09:14, Michael Banks wrote:
Advice taken I was debating to switch over to relay-only or not. I must note, the Tor node is on it's own address, under a residential contract.
Does not matter. You cannot prove that you did not routed your connection over it or that it was or was not Tor. This is also why folks doing exit (and even relay) nodes use dedicated hosting: abuse does not cut of your home Internet link and there is a limited form of deniability (though that did not help for that Austrian guy it seems, then again he did a lot of other odd stuff too which probably did not help his case much... full facts are never known).
I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node.
If you have a relay you will very unlikely be contacting anything on that 'list', at least through Tor. How exactly does PeerGuardian work? (seems there are a number of tools called that way and the first hit on google is unmaintained) Does it use a downloaded list, an RBL or something else? As when it is a list they are giving you the set of locations that are 'interesting' to peek at, when it is a RBL, they know who you are contacting. Unless a hash of some kind is involved you are likely giving away details or they are losing the details.
I have tor-relay.itschip.com set in torrc.. guess I have to fiddle with more things? Anyone with Debian experience who can help in that field?
Reverse DNS has little to do with the operating system, you'll have to ask your ISP to set that for you (who, if they allow then might inform you of a tool/protocol to use to do so). Typically though, for residential connections reverse DNS cannot be changed. Greets, Jeroen
It's a relay node now, so it should be fine, we'll see what happens. Google 'pglcmd debian' - I've removed most of the lists. It's essentially now only blocking known paedophiles/child porn related IPs - funnily enough, it's blocked quite a few connections to those known addresses. The broadband security team at my ISP is sorting the DNS records out. They even offered a SWIP. ~Chip On 06/07/2014 10:28, Jeroen Massar wrote:
On 2014-07-06 09:14, Michael Banks wrote:
Advice taken I was debating to switch over to relay-only or not. I must note, the Tor node is on it's own address, under a residential contract. Does not matter. You cannot prove that you did not routed your connection over it or that it was or was not Tor.
This is also why folks doing exit (and even relay) nodes use dedicated hosting: abuse does not cut of your home Internet link and there is a limited form of deniability (though that did not help for that Austrian guy it seems, then again he did a lot of other odd stuff too which probably did not help his case much... full facts are never known).
I was taking extra precaution by running PeerGuardian and specifically blocking malicious IPs, and will continue to do so while I have a relay node. If you have a relay you will very unlikely be contacting anything on that 'list', at least through Tor.
How exactly does PeerGuardian work? (seems there are a number of tools called that way and the first hit on google is unmaintained)
Does it use a downloaded list, an RBL or something else? As when it is a list they are giving you the set of locations that are 'interesting' to peek at, when it is a RBL, they know who you are contacting. Unless a hash of some kind is involved you are likely giving away details or they are losing the details.
I have tor-relay.itschip.com set in torrc.. guess I have to fiddle with more things? Anyone with Debian experience who can help in that field? Reverse DNS has little to do with the operating system, you'll have to ask your ISP to set that for you (who, if they allow then might inform you of a tool/protocol to use to do so). Typically though, for residential connections reverse DNS cannot be changed.
Greets, Jeroen
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (6)
-
Jeroen Massar -
Julien ROBIN -
Michael Banks -
Moritz Bartl -
Roman Mamedov -
Sanjeev Gupta