[tor-relays] tor 0.2.8.x: in 26 days to the top
~26 days after the first stable tor 0.2.8.x release, it has become the most prevalent tor version on the network by consensus weight [1]. There are still more 0.2.7.x relays than 0.2.8.x relays on the network [2], but that will change soon. [1] https://github.com/ornetstats/stats/blob/9f63665a7a4bc996f224006e76b1c7cf4eba97c9/o/major-version_share.txt [2] https://metrics.torproject.org/versions.html signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Cheapest HW to get 20Mbit?
On 2016-08-30 at 01:40, Joel Cretan wrote: > Having run a relay on an older RPi with standard Raspbian, I would > caution you to look carefully at the packages you're using, if you > choose that hardware. Of course the Tor package itself is woefully out > of date, so you have to build from source. But it's worse than that. > > I noticed that running regular apt-get update && apt-get upgrade was not > enough to keep openssl up to date. Over a year after Heartbleed had been > fixed, I noticed that my "up-to-date" version was still vulnerable, not > to mention all the other bugs discovered there in the last few years. I > thought maybe I could replace openssl with one of the forks, but was > unable to find any pre-built packages or even signed source > distributions with signing keys distributed over TLS. It was a pretty > bad state of affairs, so I shut that relay down entirely. Maybe it has > improved since then, but be careful. You could run Arch Linux on the Pi [1] which should have more up-to-date packages (if there are any outdated ones at all). If you find one that is not available for the arm architecture of the Pi, you could always (try to) compile the package for yourself. Best, Michael [1] https://archlinuxarm.org/ signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Cheapest HW to get 20Mbit?
Having run a relay on an older RPi with standard Raspbian, I would caution you to look carefully at the packages you're using, if you choose that hardware. Of course the Tor package itself is woefully out of date, so you have to build from source. But it's worse than that. I noticed that running regular apt-get update && apt-get upgrade was not enough to keep openssl up to date. Over a year after Heartbleed had been fixed, I noticed that my "up-to-date" version was still vulnerable, not to mention all the other bugs discovered there in the last few years. I thought maybe I could replace openssl with one of the forks, but was unable to find any pre-built packages or even signed source distributions with signing keys distributed over TLS. It was a pretty bad state of affairs, so I shut that relay down entirely. Maybe it has improved since then, but be careful. On Aug 28, 2016 4:37 PM, "Matt Traudt"wrote: On 08/28/2016 04:26 PM, Petrusko wrote: > >> Up to two per IP. > Hu? it's sad for people having several CPU... :s > It does help a little to prevent attackers from spinning up a lot of relays. With this limit, they must have n/2 IPs at their disposal. For example, this paper[1] shows an attack for harvesting onion services. It would have been much easier without the 2-per-IP limit. Matt [1]: http://ieee-security.org/TC/SP2013/papers/4977a080.pdf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Atlas
Thank you. > On Aug 29, 2016, at 18:08, teorwrote: > > >> On 30 Aug 2016, at 03:00, John Ricketts wrote: >> >> Hello, >> >> Does anyone know how often the Whois database is updated for atlas? The AS >> number listed for my relay is reporting the incorrect information. >> >> John > > Hi John, > > We use the MaxMind GeoIP database, so upstream changes will automatically be > included in Atlas. > (I'm not sure what our update schedule is for Atlas.) > > We're working on getting better AS information here: > https://trac.torproject.org/projects/tor/ticket/19437 > > Tim > > Tim Wilson-Brown (teor) > > teor2345 at gmail dot com > PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B > ricochet:ekmygaiu4rzgsk6n > xmpp: teor at torproject dot org > > > > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Atlas
> On 30 Aug 2016, at 03:00, John Rickettswrote: > > Hello, > > Does anyone know how often the Whois database is updated for atlas? The AS > number listed for my relay is reporting the incorrect information. > > John Hi John, We use the MaxMind GeoIP database, so upstream changes will automatically be included in Atlas. (I'm not sure what our update schedule is for Atlas.) We're working on getting better AS information here: https://trac.torproject.org/projects/tor/ticket/19437 Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] British Airways website blocking non exit relays IPs?
On 20 May 2016 at 12:32, Dionysis Grigoropouloswrote: > On Fri, May 20, 2016 at 12:18:01PM +0100, Pascal Terjan wrote: >> I haven't been able to access BA website from home for the last few weeks. >> >> I have failed to get any other answer on the phone that to try using >> Internet Explorer or to wait for things to maybe get fixed. Twitter >> support was not more helpful. >> >> I am now wondering is this is because I run a (non exit) relay. Can >> anyone confirm if they also have the problem? >> http://ba.com/ > > Running this from my non-exit relay I get the same error. Works as > expected on an another machine on the same IP range that isn't a tor > relay, so I guess they're actively blocking them. The error page got updated and now points to http://www.brightcloud.com/tools/change-request-ip-reputation.php where I requested a reputation change and gave an explanation, hopefuly they will at least stop blocking non exit relays... ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] block input hammering from the same ip source address
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 These are iptables rules (ipv4) for my exit relay: IPT="/sbin/iptables" # Tor # $IPT -A INPUT -p tcp --destination-port 80 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP $IPT -A INPUT -p tcp --destination-port 443 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP # $IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT $IPT -A INPUT -p tcp --destination-port 443 -j ACCEPT For the first 2 I do wonder if there's something I should consider too ? - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlfEh1wACgkQxOrN3gB26U4C2QD/Uvptq50hLXDbgLBwfKOWX60D 0ezIAtlBiXdjI86IeZkA/0ZW847biWDw3e51xLZpxGskA1aoD2mhz+xIbXvFMS/h =ZFV5 -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Atlas
Hello, Does anyone know how often the Whois database is updated for atlas? The AS number listed for my relay is reporting the incorrect information. John ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Closing a relay, to move/upgrade, identity question ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/29/2016 01:48 PM, Petrusko wrote: > If I'm paranoiac, and if this current relay has been corrupted, I think > it's better to start a clean identity without the old keys ? That was the reason for me to start with new keys (and an encrypted FS) when I changed the hardware. - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlfEMqAACgkQxOrN3gB26U7irAD9HdNrefY8jTszI7LXorAQKKjg Y34ADGVDzzhtoqSyCsAA/06PcjbfFbI8wlzPp4I/wC7AM7eUjsvwcIMitqWOtfPG =noyd -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Closing a relay, to move/upgrade, identity question ?
Hey, Planning to close, then re-build a relay. (1st time I'm testing it on the whole system!) Some useful informations here about : https://www.torproject.org/docs/faq.html.en#UpgradeOrMove I think it's useful to stay on the same "identity"... But if the new torrc will use others TCP ports, will it be a mess ? No problem for me if this (new) relay will not have the same identity has before. But it will be nice to retore Atlas old graphs ;) If I'm paranoiac, and if this current relay has been corrupted, I think it's better to start a clean identity without the old keys ? Thx for your lights ;) -- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays