All, I am considering only allowing ports 53, 80, and 443 only. Discussion? John Ricketts Quintex Alliance Consulting
On Mon, Dec 17, 2018 at 09:34:49PM +0000, John Ricketts wrote:
I am considering only allowing ports 53, 80, and 443 only. Discussion?
Thought #1: tcp port 53 isn't much used, so it would be a weird port to choose if you've narrowed it down to three. (Some people think that they need 53 open in order for their relay to do dns resolves for exiting circuits, but that is not so: Tor does the resolves itself, so they don't count as 'exit' requests.) So if your goal is to reduce things as much as possible, don't be shy about removing 53 too. Thought #2: if too many fast exits remove other ports from their exit policies, then Tor gets slower for reaching those other ports. Also there is a complex relationship with anonymity, in the sense that fewer possible exit points mean less entropy in terms of where your stream might have exited. Thought #3: if you need to pare down your exit policy in order to keep being an exit relay, then you totally should. That's what exit policies are for after all. Hope that helps! --Roger
Roger, Thanks. Based on what you've said I am going to leave my exit policy the way it is. Reduction of my exit policy would cause too much harm to the network and leaving it the way it is does not cause me any issues. I was only considering it for abuse reasons, but the risk to entropy outweighs any issues for me. John Ricketts Quintex Alliance Consulting
On Dec 17, 2018, at 15:48, Roger Dingledine <arma@mit.edu> wrote:
On Mon, Dec 17, 2018 at 09:34:49PM +0000, John Ricketts wrote: I am considering only allowing ports 53, 80, and 443 only. Discussion?
Thought #1: tcp port 53 isn't much used, so it would be a weird port to choose if you've narrowed it down to three. (Some people think that they need 53 open in order for their relay to do dns resolves for exiting circuits, but that is not so: Tor does the resolves itself, so they don't count as 'exit' requests.) So if your goal is to reduce things as much as possible, don't be shy about removing 53 too.
Thought #2: if too many fast exits remove other ports from their exit policies, then Tor gets slower for reaching those other ports. Also there is a complex relationship with anonymity, in the sense that fewer possible exit points mean less entropy in terms of where your stream might have exited.
Thought #3: if you need to pare down your exit policy in order to keep being an exit relay, then you totally should. That's what exit policies are for after all.
Hope that helps! --Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I always blocked the obvious abuse ports, but for reasons I do not know, blocking port 80 except to a few subnets, abolished complaints about my exits. I widened the number of subnets and complaints started again, so put restrictions back. 443 wide open, along with very wide range of ports and most high numbers. I am puzzled that port 80 attracts the abuse complaints. Is it because the port 80 traffic is more easily read by agencies sniffing for bad things and copyright infringements? Gerry -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of John Ricketts Sent: 17 December 2018 21:35 To: tor-relays@lists.torproject.org Subject: [tor-relays] Extreme Exit Policy All, I am considering only allowing ports 53, 80, and 443 only. Discussion? John Ricketts Quintex Alliance Consulting _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Dec 17, 2018 at 11:40:05PM +0000, gerard@bulger.co.uk wrote:
I always blocked the obvious abuse ports, but for reasons I do not know, blocking port 80 except to a few subnets, abolished complaints about my exits. I widened the number of subnets and complaints started again, so put restrictions back.
443 wide open, along with very wide range of ports and most high numbers. I am puzzled that port 80 attracts the abuse complaints. Is it because the port 80 traffic is more easily read by agencies sniffing for bad things and copyright infringements?
One plausible explanation would be that when you blocked too much of port 80, you lost the Exit flag, which caused most clients to not consider you as suitable for use in the third hop of their circuit. https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2564 That is, by closing down your exit policy so much, you signaled to clients that they shouldn't try using you as their exit, so most of them didn't. (You might still see a few exit requests anyway, since clients with a stream request for port 443 would still consider you a legit option if they don't have an available circuit. But when they're making preemptive circuits, they would skip over you because you don't seem like the sort of relay that's likely to be able to satisfy whatever their future requests will be.) --Roger
Thanks Roger for your helpful explanations, as always. I still have exit flags. The total traffic through through my exits does not see change whatever I do to port 80, with some 3,000 exits. Vnstat makes it 17 T a month on my main server. I am puzzled that amount of activity, with limited port 80, is not generating anything on the abuse front with so many ports open,...touching wood firmly now. Delighted, and of course I do feel guilty that I do not have port 80 (or 22 for that matter) wide open for Tor community, but don't have the balls for it, and I am not hiding behind a limited company. Gerry Bulger -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of Roger Dingledine Sent: 18 December 2018 00:47 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Extreme Exit Policy On Mon, Dec 17, 2018 at 11:40:05PM +0000, gerard@bulger.co.uk wrote:
I always blocked the obvious abuse ports, but for reasons I do not know, blocking port 80 except to a few subnets, abolished complaints about my exits. I widened the number of subnets and complaints started again, so put restrictions back.
443 wide open, along with very wide range of ports and most high numbers. I am puzzled that port 80 attracts the abuse complaints. Is it because the port 80 traffic is more easily read by agencies sniffing for bad things and copyright infringements?
One plausible explanation would be that when you blocked too much of port 80, you lost the Exit flag, which caused most clients to not consider you as suitable for use in the third hop of their circuit. https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2564 That is, by closing down your exit policy so much, you signaled to clients that they shouldn't try using you as their exit, so most of them didn't. (You might still see a few exit requests anyway, since clients with a stream request for port 443 would still consider you a legit option if they don't have an available circuit. But when they're making preemptive circuits, they would skip over you because you don't seem like the sort of relay that's likely to be able to satisfy whatever their future requests will be.) --Roger _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 12/17/2018 02:34 PM, John Ricketts wrote:
All,
I am considering only allowing ports 53, 80, and 443 only. Discussion?
Given that I SSH via Tor a lot, that would suck for me. If too many exits didn't allow port 22, anyway. As it is, it's not uncommon for SSH logins via Tor to die. Presumably after some network hiccup. And sure, I could setup .onion SSH for everything, and that'd arguably be more secure. But sometimes I'm just too lazy for that. Now that I'm thinking of it, though, I wonder whether I ought to change SSH to port 443. That'd give me a larger exit population, which would be good. But for anyone watching, my SSH sessions would be more unusual. What would be the likely net impact of using port 443 for SSH?
John Ricketts Quintex Alliance Consulting _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Dec 17, 2018 at 11:51:29PM -0700, Mirimir wrote:
Given that I SSH via Tor a lot, that would suck for me. If too many exits didn't allow port 22, anyway. As it is, it's not uncommon for SSH logins via Tor to die. Presumably after some network hiccup.
And sure, I could setup .onion SSH for everything, and that'd arguably be more secure. But sometimes I'm just too lazy for that.
Now that I'm thinking of it, though, I wonder whether I ought to change SSH to port 443. That'd give me a larger exit population, which would be good. But for anyone watching, my SSH sessions would be more unusual.
What would be the likely net impact of using port 443 for SSH?
Another more surprising impact for you is that your ssh connections would, counterintuitively, die more often. That's because Tor has a LongLivedPorts option, where streams for those destination ports use circuits with all Stable-flagged relays, and 22 is in the list but 443 is not: LongLivedPorts PORTS A list of ports for services that tend to have long-running connections (e.g. chat and interactive shells). Circuits for streams that use these ports will contain only high-uptime nodes, to reduce the chance that a node will go down before the stream is finished. Note that the list is also honored for circuits (both client and service side) involving hidden services whose virtual port is in this list. (Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300) --Roger
On 12/18/2018 12:09 AM, Roger Dingledine wrote:
On Mon, Dec 17, 2018 at 11:51:29PM -0700, Mirimir wrote:
Given that I SSH via Tor a lot, that would suck for me. If too many exits didn't allow port 22, anyway. As it is, it's not uncommon for SSH logins via Tor to die. Presumably after some network hiccup.
And sure, I could setup .onion SSH for everything, and that'd arguably be more secure. But sometimes I'm just too lazy for that.
Now that I'm thinking of it, though, I wonder whether I ought to change SSH to port 443. That'd give me a larger exit population, which would be good. But for anyone watching, my SSH sessions would be more unusual.
What would be the likely net impact of using port 443 for SSH?
Another more surprising impact for you is that your ssh connections would, counterintuitively, die more often.
That's because Tor has a LongLivedPorts option, where streams for those destination ports use circuits with all Stable-flagged relays, and 22 is in the list but 443 is not:
LongLivedPorts PORTS A list of ports for services that tend to have long-running connections (e.g. chat and interactive shells). Circuits for streams that use these ports will contain only high-uptime nodes, to reduce the chance that a node will go down before the stream is finished. Note that the list is also honored for circuits (both client and service side) involving hidden services whose virtual port is in this list. (Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300)
Thanks. I guess that I'll stick with port 22, then. And re .onion services, it's interesting that OnionCat port 8060 isn't on the list. I guess that I ought to use one of those, instead.
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Another more surprising impact for you is that your ssh connections would, counterintuitively, die more often.
That's because Tor has a LongLivedPorts option, where streams for those destination ports use circuits with all Stable-flagged relays, and 22 is in the list but 443 is not:
LongLivedPorts PORTS A list of ports for services that tend to have long-running connections (e.g. chat and interactive shells). Circuits for streams that use these ports will contain only high-uptime nodes, to reduce the chance that a node will go down before the stream is finished. Note that the list is also honored for circuits (both client and service side) involving hidden services whose virtual port is in this list. (Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300)
And re .onion services, it's interesting that OnionCat port 8060 isn't on the list.
Nice. Considering all that is, and can be, stuffed over OnionCat, including the above, 8060 could probably be added to the list. Similar could perhaps be said for any tunneling protocols... OpenVPN, etc.
On 12/18/2018 09:32 PM, grarpamp wrote:
Another more surprising impact for you is that your ssh connections would, counterintuitively, die more often.
That's because Tor has a LongLivedPorts option, where streams for those destination ports use circuits with all Stable-flagged relays, and 22 is in the list but 443 is not:
LongLivedPorts PORTS A list of ports for services that tend to have long-running connections (e.g. chat and interactive shells). Circuits for streams that use these ports will contain only high-uptime nodes, to reduce the chance that a node will go down before the stream is finished. Note that the list is also honored for circuits (both client and service side) involving hidden services whose virtual port is in this list. (Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300)
And re .onion services, it's interesting that OnionCat port 8060 isn't on the list.
Nice. Considering all that is, and can be, stuffed over OnionCat, including the above, 8060 could probably be added to the list. Similar could perhaps be said for any tunneling protocols... OpenVPN, etc.
Well, I just use a bash wrapper for OnionCat. Basically, it checks "ip a" (or ping6 an OnionCat heartbeat server). If the test fails, it checks Tor status. And then it restarts Tor (if necessary) and then OnionCat.
On Dec 17, 2018, at 22:51, Mirimir <mirimir@riseup.net> wrote:
And sure, I could setup .onion SSH for everything, and that'd arguably be more secure. But sometimes I'm just too lazy for that.
I'm pretty frickin' lazy, but I do this with all my servers. Here's the recipe for Linux/Debian provisioning: -*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*- # cat >>/etc/apt/sources.list deb https://deb.torproject.org/torproject.org stretch main deb-src https://deb.torproject.org/torproject.org stretch main # apt install gnupg2 dirmngr # gpg2 --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 I've had gpg2 fail, in which case this should work: # gpg --keyserver hkp://pool.sks-keyservers.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 # gpg2 --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - # apt update # apt install tor deb.torproject.org-keyring edit /etc/tor/torrc, the "hidden services" section, to add: HiddenServiceDir /var/lib/tor/control/ HiddenServicePort 22 127.0.0.1:22 # service tor restart # cat /var/lib/tor/control/hostname Record the onion address for posterity -*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*-.,,.-*"*- The SSH sessions to the .onion address seem pretty darned solid. --Ron
Hi, excuse my bad english. I would run an exit relay on a virtual server. For now i run just a non exit relay on my own mini server. I don't like too much do not have full control on the server, but, for me, it is the only way to run an exit relay. How I know which service can get me a pubblic ip address on which I can put my email address on report abuse section, so I can directly receive abuse warning without passing throw my server provider? Could you suggests me some providers that possiby offer unlimited monthly data too? Regards Gigi
On Wed, Dec 19, 2018 at 07:17:49AM +0100, dns1983@riseup.net wrote:
Hi,
excuse my bad english.
I would run an exit relay on a virtual server. For now i run just a non exit relay on my own mini server. I don't like too much do not have full control on the server, but, for me, it is the only way to run an exit relay.
How I know which service can get me a pubblic ip address on which I can put my email address on report abuse section, so I can directly receive abuse warning without passing throw my server provider?
Could you suggests me some providers that possiby offer unlimited monthly data too?
Regards Gigi
This message is more appropriate as a new post. Thanks!
participants (8)
-
dns1983@riseup.net -
gerard@bulger.co.uk -
grarpamp -
Jaysinh Shukla -
John Ricketts -
Mirimir -
Roger Dingledine -
ronqtorrelays@risley.net