relay on a vps not exclusively used for tor?
Hi, I'm planning to get myself a small VPS for simple things like calendar-synching and backup of important data. Since these things are very light on resource-usage, I thought about putting a tor relay (non-exit) on the server, so it does something useful instead of idling most of the time. Is this advisable, or are there reasons why I shouldn't put a relay on a server that is used simultaneously by other things? Thanks for your advice!
Hey! Thx for adding a relay ;) About my vps relay, there's a webserver running behind with munin to monitor/graph everything. (only my home IP is able to connect to this webserver) CPU is not used 100% all the time, so there is Boinc running behind to help worldcommunitygrid.org against cancer, ebola, zika... This vps is helping for Tor network (human rights and freedom)(sharing network) + human health at same time (sharing cpu) Server is now 95% used for some good things on my opinion. I think those softwares running behind are safe? and are not against Tor security? Having a little owncloud for you on your vps can't be a bad on my opinion, if you always update softwares and OS... If I'm not wrong, an admin will always say 1 task = 1 server... Other notices are welcome ;)
Hi,
I'm planning to get myself a small VPS for simple things like calendar-synching and backup of important data. Since these things are very light on resource-usage, I thought about putting a tor relay (non-exit) on the server, so it does something useful instead of idling most of the time.
Is this advisable, or are there reasons why I shouldn't put a relay on a server that is used simultaneously by other things?
Thanks for your advice!
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
Anything other than Tor running on the server is a liability. I'd be particularly concerned about things like Owncloud (not to mention web servers), which has a history of security vulnerabilities. I think it's best to restrict Tor relays to dedicated installs. Petrusko wrote:
Hey! Thx for adding a relay ;) About my vps relay, there's a webserver running behind with munin to monitor/graph everything. (only my home IP is able to connect to this webserver) CPU is not used 100% all the time, so there is Boinc running behind to help worldcommunitygrid.org against cancer, ebola, zika...
This vps is helping for Tor network (human rights and freedom)(sharing network) + human health at same time (sharing cpu) Server is now 95% used for some good things on my opinion.
I think those softwares running behind are safe? and are not against Tor security?
Having a little owncloud for you on your vps can't be a bad on my opinion, if you always update softwares and OS... If I'm not wrong, an admin will always say 1 task = 1 server...
Other notices are welcome ;)
Hi,
I'm planning to get myself a small VPS for simple things like calendar-synching and backup of important data. Since these things are very light on resource-usage, I thought about putting a tor relay (non-exit) on the server, so it does something useful instead of idling most of the time.
Is this advisable, or are there reasons why I shouldn't put a relay on a server that is used simultaneously by other things?
Thanks for your advice!
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 8/21/16, Michael McConville <mmcco@mykolab.com> wrote:
Anything other than Tor running on the server is a liability. I'd be particularly concerned about things like Owncloud (not to mention web servers), which has a history of security vulnerabilities. I think it's best to restrict Tor relays to dedicated installs.
Not only security of the relay, but of any dependencies and privacy of any other operations and data you may have on it should it get seized for whatever reason. Of course risk of seizure is less with non-exits. Since anyone can run a relay, and there aren't any relay police or hardcoded restrictions, it's really up to you and what you're comfortable with. For example, many might use their VPS space to store encrypted backups offsite, or run various small services that have minimal risk or attack surface. And to the extent that doing things will make you a better admin, able to weigh operation security, there can be a lot of good in that too.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/21/2016 09:33 PM, Petrusko wrote:
CPU is not used 100% all the time, so there is Boinc running behind to help worldcommunitygrid.org against cancer, ebola, zika...
There was an unclear situation related to BOINC at my former exit relay [1], so I banned BOINC from an Tor relay. [1] https://www.zwiebeltoralf.de/torserver/cep2/index.html - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAle6BGUACgkQxOrN3gB26U4sQAEAjgDu6nRFVOFClg5cdaZzTooj Y2EkWUrDx/9QjFE8vFsA/0k6dO7kBGZM9wlAgGKQY1I8g1P1Ebg/5txojQqBPgex =MC9A -----END PGP SIGNATURE-----
Woo I've quickly googled this "grsecurity" patch, it looks like not so easy to apply on a Debian Stable kernel... (that's why I've never seen something like your log on my side...) https://wiki.debian.org/grsecurity Thx for sharing this kernel option, and this experience. But if I understand well, a user from the IP address 5.79.67.47 has tried to execute system commands after beeing connected successfully to your boinc instance ?
On 08/21/2016 09:33 PM, Petrusko wrote:
CPU is not used 100% all the time, so there is Boinc running behind to help worldcommunitygrid.org against cancer, ebola, zika...
There was an unclear situation related to BOINC at my former exit relay [1], so I banned BOINC from an Tor relay.
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/21/2016 10:28 PM, Petrusko wrote:
Thx for sharing this kernel option, and this experience. Under Gentoo Linux it is very easy to have GRSecurity. I do use it both on my desktop and my server w/o bigger problems.
But if I understand well, a user from the IP address 5.79.67.47 has tried to execute system commands after beeing connected successfully to your boinc instance ? That was my understanding - right. OTOH I'm unsure if this is the only explanation - maybe there's a harmless one too.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAle7IGwACgkQxOrN3gB26U6iZQD9Hqhwf8EGd4IrWW7I8x1bWles BLtsvIK73o45UTVS+VUA/3LDdLYpoUMdTpVY9thtRPqR0WRxxFLsMhG9gUxYymr5 =TxJE -----END PGP SIGNATURE-----
Thx for sharing this kernel option, and this experience. Under Gentoo Linux it is very easy to have GRSecurity. I do use it both on my desktop and my server w/o bigger problems.
So I'm thinking about destroying my current vps relay, then rebuild a new "hardened" one may be more secure (I hope) after reading some tips about securing Debian... try to do my best, next time :p
But if I understand well, a user from the IP address 5.79.67.47 has tried to execute system commands after beeing connected successfully to your boinc instance ? That was my understanding - right. OTOH I'm unsure if this is the only explanation - maybe there's a harmless one too. Humm, if using a firewall script (iptables may be too in Gentoo?) to block everything /from/ the world, I think it's ok? Activate only SSH + TOR ports open. Boinc will only need to /connect to outside/ as a client (of course only your personal IP will be able to connect from outside with the manager)
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
I wouldn't run BOINC on a VPS. Most AUPs ban the use of programs designed to use 100% CPU (a.k.a. programs like BOINC). You should probably double-check if your VPS is ok with that. On Sun, Aug 21, 2016 at 2:33 PM, Petrusko <petrusko@riseup.net> wrote:
Hey! Thx for adding a relay ;) About my vps relay, there's a webserver running behind with munin to monitor/graph everything. (only my home IP is able to connect to this webserver) CPU is not used 100% all the time, so there is Boinc running behind to help worldcommunitygrid.org against cancer, ebola, zika...
This vps is helping for Tor network (human rights and freedom)(sharing network) + human health at same time (sharing cpu) Server is now 95% used for some good things on my opinion.
I think those softwares running behind are safe? and are not against Tor security?
Having a little owncloud for you on your vps can't be a bad on my opinion, if you always update softwares and OS... If I'm not wrong, an admin will always say 1 task = 1 server...
Other notices are welcome ;)
Hi,
I'm planning to get myself a small VPS for simple things like calendar-synching and backup of important data. Since these things are very light on resource-usage, I thought about putting a tor relay (non-exit) on the server, so it does something useful instead of idling most of the time.
Is this advisable, or are there reasons why I shouldn't put a relay on a server that is used simultaneously by other things?
Thanks for your advice!
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Finding information, passing it along. ~SuperSluether
Mine hasn't. It peaks at about 30%. It can't even hit the 150Mbps limit I set. On Aug 21, 2016 8:33 PM, "Green Dream" <greendream848@gmail.com> wrote:
Most AUPs ban the use of programs designed to use 100% CPU
A well-utilized Tor node will max out CPU...
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Most AUPs ban the use of programs designed to use 100% CPU
A well-utilized Tor node will max out CPU...
Mine hasn't. It peaks at about 30%. It can't even hit the 150Mbps limit I set.
Let me rephrase it then: a well-utilized Tor node _can_ max out CPU. I have two guard/middle nodes with maxed out cores. CPU is actually their bottleneck. They have high consensus weight and get a lot of use though. My point was just that if a VPS provider has a policy against software that maxes out CPU, Tor could cause that condition. Whether or not a provider would actually enforce this against a Tor node is another question. I haven't heard of it happening but ¯\_(ツ)_/¯
On Sun, 21 Aug 2016 20:06:31 +0200 jensm1 <jensm1@bbjh.de> allegedly wrote:
I'm planning to get myself a small VPS for simple things like calendar-synching and backup of important data. Since these things are very light on resource-usage, I thought about putting a tor relay (non-exit) on the server, so it does something useful instead of idling most of the time.
Is this advisable, or are there reasons why I shouldn't put a relay on a server that is used simultaneously by other things?
I think the clue to the answer lies in your "backup of important data". Personally I run my tor node on a VPS I can afford to lose. I do not, and would not, use a server holding or hosting anything I care about (email, XMPP, web service etc.) as a tor node. Even if your relay is not an exit, there is always the possibility that its use as a Tor node will offend someone who is in a position to interfere with it. Consider the possibility that your ISP decides it does want Tor traffic on its network. That ISP might take your relay off line. If you use that server for anything else, you are borked. There is also the very real possibility that any other services you run on the Tor node actually weaken the security of that node. Every service you run on a server increases the attack surface. If your Tor node happens to be running an insecure (or badly configured, or both) FTP server, for example, then it could be compromised and used by "bad guys" (TM). Best Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
Thanks for all the replies! It's actually a good advice, not to run backup and tor on the same server, in case it gets seized or the ISP kills it. Also, the small monetary savings aren't really worth the increased attack surface for both, the tor relay and the other services. I therefore won't be running a relay on that VPS, but I will check if my funds will allow me (student, so money is always a bit tight) to spin up a second VPS just for tor. Thanks again for all your advice and help! --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
participants (8)
-
grarpamp -
Green Dream -
jensm1 -
Michael McConville -
mick -
Petrusko -
Toralf Förster -
Tristan