Re: [tor-relays] Got my first abuse

2020-04-15 Thread Kolja Sagorski
I had a police house search for my exit...
I hate the stupid German police.

> Am 15.04.2020 um 22:53 schrieb "li...@for-privacy.net" 
> :
> 
> Hi,
> 
> my Family¹ has had an exit for 2 weeks and today the first abuse mail has 
> arrived.
> 
> First of all, thanks for the templates:
> 
> https://www.torservers.net/wiki/abuse/templates
> 
> https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates
> 
> 
> I linked these two from the Tor-project:
> 
> - Common Boilerplate (Tor Intro)
> 
> - SSH Bruteforce Attempts
> 
> and wrote the following myself:
> --
> Another good option that we use ourselves is: fail2ban
> And report to blacklists, which can then be loaded into the router firewalls:
> https://www.abuseipdb.com/user/33280
> 
> Hope this helps!
> --
> 
> I actually wanted to add that the SSH login attempts can be limited. (3-6)
> Because the logs from the abuse mail showed 100 attempts pro IP. ;-)
> 
> _Are such notes useful or do such instructions cause even more problems?_
> 
> 
> 
> ¹https://metrics.torproject.org/rs.html#search/TorOrDie4privacyNET
> 
> -- 
> ╰_╯ Ciao Marco!
> 
> Debian GNU/Linux
> 
> It's free software and it gives you freedom!
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


[tor-relays] Got my first abuse

2020-04-15 Thread lists

Hi,

my Family¹ has had an exit for 2 weeks and today the first abuse mail 
has arrived.


First of all, thanks for the templates:

https://www.torservers.net/wiki/abuse/templates

https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates


I linked these two from the Tor-project:

- Common Boilerplate (Tor Intro)

- SSH Bruteforce Attempts

and wrote the following myself:
--
Another good option that we use ourselves is: fail2ban
And report to blacklists, which can then be loaded into the router 
firewalls:

https://www.abuseipdb.com/user/33280

Hope this helps!
--

I actually wanted to add that the SSH login attempts can be limited. 
(3-6)

Because the logs from the abuse mail showed 100 attempts pro IP. ;-)

_Are such notes useful or do such instructions cause even more 
problems?_




¹https://metrics.torproject.org/rs.html#search/TorOrDie4privacyNET

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


Re: [tor-relays] Multiple obsf4 Bridge Relays on macOS

2020-04-15 Thread teor
Hi,

> On 15 Apr 2020, at 01:45, Wilton Gorske  wrote:
> 
> Secondly, and mainly, I am working on setting up ten obsf4 bridge relays
> on macOS and keep running into port issues, so I'm hoping to get some
> general advice and guidance about how to set this up in the absence of
> updated macOS tutorials online.

Thanks for running Tor bridges!

> These bridge relays are going to run on one macOS server. Knowing that
> they can each have their own dedicated IP address, could someone advise
> how to best set up these multiple obsf4 bridge instances so each can be
> run (tor -f /usr/local/etc/tor/torrc.1, torrc.2, torrc.3, etc...) under
> one non-root user

It's slightly safer to run each instance under its own user.

Then the keys for each instance aren't available to the other instances.

You might find Debian's tor-instance-create script useful:
https://gitweb.torproject.org/debian/tor.git/tree/debian/tor-instance-create

In particular, you can have a defaults torrc for each instance, and then
just change the addresses and ports in each instance's torrc.

> with only two public ports open on the data center
> network (80 and 443)? I'm getting stuck at the port reachability phase,
> and even more so when trying to run multiple instances with
> forwarding/binding warnings.
> 
> The Application Level Firewall allows certain granted programs
> (tor/tor-gencert/tor-print-ed-signing-cert/tor-resolve/torify/obfs4proxy)
> the ability to open or accept a network socket. By editing the macOS
> network system settings to route port 80 to 9005, and noting ORPort 80
> NoListen ORPort 0.0.0.0:9005 NoAdvertise in the torrc, that works
> correctly (including routing 443 for obfs4proxy). Running a second
> instance is where it seems to break down. Is there a way to have
> multiple tor instances sharing a port?

No, tor doesn't support port multiplexing across multiple tor
processes,

Instead, tor automatically multiplexes multiple clients over the same
port, without any special configuration on the server.

> My guess is the main issue is that at the system routing level, I need a
> way to note each IP and port so it goes to the right tor instance.
> Currently, the forwarding is set up like:
> rdr pass on en1 inet proto tcp from any to any port 80 -> 127.0.0.1 port
> 9005
> I'm guessing I need some way to designate IP XX.XXX.XX.120 -> port 9005
> (torrc.1), XX.XXX.XX.121 -> port 9006 (torrc.2), XX.XXX.XX.122 -> port
> 9007 (torrc.3), etc. Is that correct?

Yes, that sounds sensible.

> A copy of my notes and configurations so far can be found here:
> http://5jp7xtmox6jyoqd5.onion/p/ISjeXEW-vt8H1s89bwSW
> 
> Please feel free to make suggestions or edits directly in that etherpad.
> I'm sure there are multiple ways to do this, but I definitely want to
> make sure I am using the most secure method as opposed to the easiest or
> quickest... Thanks for any help in advance.

T

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays