[tor-relays] tor 0.2.8.x: in 26 days to the top

[nusenu]

~26 days after the first stable tor 0.2.8.x release,
it has become the most prevalent tor version on the network by consensus
weight [1].

There are still more 0.2.7.x relays than 0.2.8.x relays on the network
[2], but that will change soon.

[1]
https://github.com/ornetstats/stats/blob/9f63665a7a4bc996f224006e76b1c7cf4eba97c9/o/major-version_share.txt

[2] https://metrics.torproject.org/versions.html



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Cheapest HW to get 20Mbit?

[Michael Armbruster]

On 2016-08-30 at 01:40, Joel Cretan wrote:
> Having run a relay on an older RPi with standard Raspbian, I would
> caution you to look carefully at the packages you're using, if you
> choose that hardware. Of course the Tor package itself is woefully out
> of date, so you have to build from source. But it's worse than that.
> 
> I noticed that running regular apt-get update && apt-get upgrade was not
> enough to keep openssl up to date. Over a year after Heartbleed had been
> fixed, I noticed that my "up-to-date" version was still vulnerable, not
> to mention all the other bugs discovered there in the last few years. I
> thought maybe I could replace openssl with one of the forks, but was
> unable to find any pre-built packages or even signed source
> distributions with signing keys distributed over TLS. It was a pretty
> bad state of affairs, so I shut that relay down entirely. Maybe it has
> improved since then, but be careful.

You could run Arch Linux on the Pi [1] which should have more up-to-date
packages (if there are any outdated ones at all). If you find one that
is not available for the arm architecture of the Pi, you could always
(try to) compile the package for yourself.

Best,
Michael

[1] https://archlinuxarm.org/



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Cheapest HW to get 20Mbit?

[Joel Cretan]

Having run a relay on an older RPi with standard Raspbian, I would caution
you to look carefully at the packages you're using, if you choose that
hardware. Of course the Tor package itself is woefully out of date, so you
have to build from source. But it's worse than that.

I noticed that running regular apt-get update && apt-get upgrade was not
enough to keep openssl up to date. Over a year after Heartbleed had been
fixed, I noticed that my "up-to-date" version was still vulnerable, not to
mention all the other bugs discovered there in the last few years. I
thought maybe I could replace openssl with one of the forks, but was unable
to find any pre-built packages or even signed source distributions with
signing keys distributed over TLS. It was a pretty bad state of affairs, so
I shut that relay down entirely. Maybe it has improved since then, but be
careful.

On Aug 28, 2016 4:37 PM, "Matt Traudt"  wrote:



On 08/28/2016 04:26 PM, Petrusko wrote:
>
>> Up to two per IP.
> Hu? it's sad for people having several CPU... :s
>

It does help a little to prevent attackers from spinning up a lot of
relays. With this limit, they must have n/2 IPs at their disposal.

For example, this paper[1] shows an attack for harvesting onion
services. It would have been much easier without the 2-per-IP limit.

Matt

[1]: http://ieee-security.org/TC/SP2013/papers/4977a080.pdf


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Atlas

[John Ricketts]

Thank you.

> On Aug 29, 2016, at 18:08, teor  wrote:
> 
> 
>> On 30 Aug 2016, at 03:00, John Ricketts  wrote:
>> 
>> Hello,
>> 
>> Does anyone know how often the Whois database is updated for atlas?  The AS 
>> number listed for my relay is reporting the incorrect information.
>> 
>> John
> 
> Hi John,
> 
> We use the MaxMind GeoIP database, so upstream changes will automatically be 
> included in Atlas.
> (I'm not sure what our update schedule is for Atlas.)
> 
> We're working on getting better AS information here:
> https://trac.torproject.org/projects/tor/ticket/19437
> 
> Tim
> 
> Tim Wilson-Brown (teor)
> 
> teor2345 at gmail dot com
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> xmpp: teor at torproject dot org
> 
> 
> 
> 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Atlas

[teor]

> On 30 Aug 2016, at 03:00, John Ricketts  wrote:
> 
> Hello,
> 
> Does anyone know how often the Whois database is updated for atlas?  The AS 
> number listed for my relay is reporting the incorrect information.
> 
> John

Hi John,

We use the MaxMind GeoIP database, so upstream changes will automatically be 
included in Atlas.
(I'm not sure what our update schedule is for Atlas.)

We're working on getting better AS information here:
https://trac.torproject.org/projects/tor/ticket/19437

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org








signature.asc
Description: Message signed with OpenPGP using GPGMail
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] British Airways website blocking non exit relays IPs?

[Pascal Terjan]

On 20 May 2016 at 12:32, Dionysis Grigoropoulos  wrote:
> On Fri, May 20, 2016 at 12:18:01PM +0100, Pascal Terjan wrote:
>> I haven't been able to access BA website from home for the last few weeks.
>>
>> I have failed to get any other answer on the phone that to try using
>> Internet Explorer or to wait for things to maybe get fixed. Twitter
>> support was not more helpful.
>>
>> I am now wondering is this is because I run a (non exit) relay. Can
>> anyone confirm if they also have the problem?
>> http://ba.com/
>
> Running this from my non-exit relay I get the same error. Works as
> expected on an another machine on the same IP range that isn't a tor
> relay, so I guess they're actively blocking them.

The error page got updated and now points to
http://www.brightcloud.com/tools/change-request-ip-reputation.php
where I requested a reputation change and gave an explanation,
hopefuly they will at least stop blocking non exit relays...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] block input hammering from the same ip source address

[Toralf Förster]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

These are iptables rules (ipv4) for my exit relay:

  IPT="/sbin/iptables"

  # Tor
  #
  $IPT -A INPUT -p tcp --destination-port  80 --match conntrack --ctstate NEW 
--match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
  $IPT -A INPUT -p tcp --destination-port 443 --match conntrack --ctstate NEW 
--match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
  #
  $IPT -A INPUT -p tcp --destination-port  80 -j ACCEPT
  $IPT -A INPUT -p tcp --destination-port 443 -j ACCEPT

For the first 2 I do wonder if there's something I should consider too ?

- -- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlfEh1wACgkQxOrN3gB26U4C2QD/Uvptq50hLXDbgLBwfKOWX60D
0ezIAtlBiXdjI86IeZkA/0ZW847biWDw3e51xLZpxGskA1aoD2mhz+xIbXvFMS/h
=ZFV5
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Atlas

[John Ricketts]

Hello,

Does anyone know how often the Whois database is updated for atlas?  The AS 
number listed for my relay is reporting the incorrect information.

John
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Closing a relay, to move/upgrade, identity question ?

[Toralf Förster]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 08/29/2016 01:48 PM, Petrusko wrote:
> If I'm paranoiac, and if this current relay has been corrupted, I think
> it's better to start a clean identity without the old keys ?
That was the reason for me to start with new keys (and an encrypted FS) when I 
changed the hardware.


- -- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAlfEMqAACgkQxOrN3gB26U7irAD9HdNrefY8jTszI7LXorAQKKjg
Y34ADGVDzzhtoqSyCsAA/06PcjbfFbI8wlzPp4I/wC7AM7eUjsvwcIMitqWOtfPG
=noyd
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Closing a relay, to move/upgrade, identity question ?

[Petrusko]

Hey,

Planning to close, then re-build a relay. (1st time I'm testing it on
the whole system!)
Some useful informations here about :
https://www.torproject.org/docs/faq.html.en#UpgradeOrMove
I think it's useful to stay on the same "identity"...
But if the new torrc will use others TCP ports, will it be a mess ?

No problem for me if this (new) relay will not have the same identity
has before. But it will be nice to retore Atlas old graphs ;)

If I'm paranoiac, and if this current relay has been corrupted, I think
it's better to start a clean identity without the old keys ?

Thx for your lights ;)

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays