Re: [tor-relays] Unbelieveable
> > Check your firewall, and gateway port forwards if the server is > > behind a NAT. If you're not sure where to start, post the output of > > "sudo iptables -L" > > > > --Sean > > > I've made several iptables and saved them, I thought, however every > time I reboot the VPS all my rules are gone. > ~$ sudo iptables -L > > Chain INPUT (policy ACCEPT) target prot opt source > > destination > > > > Chain FORWARD (policy ACCEPT) target prot opt source > > destination > > > > Chain OUTPUT (policy ACCEPT) target prot opt source > > destination > > > but: > cat /etc/iptables.rules > # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 > *raw > :PREROUTING ACCEPT [2424:210831] > :OUTPUT ACCEPT [1856:540218] > COMMIT > # Completed on Fri Dec 4 04:30:56 2015 > # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 > *nat > :PREROUTING ACCEPT [229:8057] > :POSTROUTING ACCEPT [86:5885] > :OUTPUT ACCEPT [86:5885] > COMMIT > # Completed on Fri Dec 4 04:30:56 2015 > # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 > *mangle > :PREROUTING ACCEPT [2424:210831] > :INPUT ACCEPT [2424:210831] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1856:540218] > :POSTROUTING ACCEPT [1856:540218] > COMMIT > # Completed on Fri Dec 4 04:30:56 2015 > # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [581:184073] > - -A INPUT -i lo -j ACCEPT > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 9052 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 9051 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > - -A INPUT -j DROP > COMMIT > # Completed on Fri Dec 4 04:30:56 2015 > > > > 3:/etc/network$ cat interfaces # This configuration file is > > auto-generated. # # WARNING: Do not edit this file, your changes > > will be lost. # Please create/edit /etc/network/interfaces.head > > and # /etc/network/interfaces.tail instead, their contents will be > > # inserted at the beginning and at the end of this file, > > respectively. # # NOTE: it is NOT guaranteed that the contents of > > /etc/network/interfaces.tail # will be at the very end of this > > file. # > > > > # Auto generated lo interface auto lo iface lo inet loopback > > > > # Auto generated venet0 interface auto venet0 iface venet0 inet > > manual up ifconfig venet0 up up ifconfig venet0 127.0.0.2 up route > > add default dev venet0 down route del default dev venet0 down > > ifconfig venet0 down > > > > > > iface venet0 inet6 manual up route -A inet6 add default dev venet0 > > down route -A inet6 del default dev venet0 > > > > auto venet0:0 iface venet0:0 inet static address 167.114.35.28 > > netmask 255.255.255.255 > > > cat sysctl.conf > > > # Uncomment the next line to enable packet forwarding for IPv4 > > net.ipv4.ip_forward=1 > > > > # Uncomment the next line to enable packet forwarding for IPv6 # > > Enabling this option disables Stateless Address Autoconfiguration # > > based on Router Advertisements for this host > > net.ipv6.conf.all.forwarding=1 iptables doesn't automatically load anything on boot; it starts with a clean slate. Most distros have a preferred way of loading that save file on boot, typically a service of some sort. Check your distro's docs for the specifics. But before you go enabling the firewall, verify that the tor process is binding to the ports correctly. Restart the VPS, make sure tor is running, then run the following: "sudo lsof | grep LISTEN" It should output something like this: > sshd398 root3u IPv4 104876616 0t0 TCP > *:ssh (LISTEN) > sshd398 root4u IPv6 104876623 0t0 TCP > *:ssh (LISTEN) > tor1129 _tor6u IPv4 105943714 0t0 TCP > *:https (LISTEN) > tor1129 _tor7u IPv4 105943715 0t0 TCP > *:http (LISTEN) > tor1129 1130 _tor6u IPv4 105943714 0t0 TCP > *:https (LISTEN) > tor1129 1130 _tor7u IPv4 105943715 0t0 TCP > *:http (LISTEN) Note that I'm using the HTTP(S) ports for my relay, you should see the ports you have selected for ORPort and DIRPort. Also note the asterisk indicating that it is listening on all network interfaces. If it only lists one specific interface, ensure that it is the correct (internet-facing) interface. --Sean ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Unbelieveable
On 12/04/15 00:07, I wrote: > I thought I was joining a loose but passionate, clever and idealistic > community. > I thought I would learn just being a listener and building my knowledge of > security and servers. disappointments result from expectations. i have learned some things by reading this list. i have learned other things as well. -- \js: ! ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Unbelieveable
On 12/03/2015 10:09 PM, Michael McConville wrote: > Kurt Besig wrote: >> Well. even a doctor would make a few suggestions based on some sort of >> experience based reasoning. Perhaps some connection problems >> associated with running tor-arm on a VPS vs. a home server...things of >> that nature. Also I was just wondering as I don't see many of the >> relay operators that used to post to this list around anymore, has >> something changed to make them move on?? >> Lots of people whining about their consensus weight numbers, but >> little of substance being posted. > > The people who know what they're doing can quickly, reliably > set-and-forget relays. That's the ideal scenario - tweaking knobs is > mostly a liability and performance issues are a development concern. This is very much the case. 0xDD79757F.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Unbelieveable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/4/2015 8:25 PM, Damian Johnson wrote: > For what it's worth process permissions aren't at play here. Arm > is failing to talk with the control port - permissions could cause > us to be unable to read the authentication cookie, but that would > be a different message. > > Cheers! -Damian > > > On Fri, Dec 4, 2015 at 5:36 PM, Manager Bahia del Sol LLC >wrote: >> >> No worries, >> >> Are you sure the user or group is debian_tor? The default is >> debian-tor in Ubuntu. >> >> If that isn't the problem, >> >> First I would be sure tor is actually running. top or top -u >> debian-tor The second will show if tor is actually running as the >> user you think it is. >> >> If it is, then see if it is listening on the control port sudo >> netstat -ntlp | grep LISTEN >> >> If it is I would suspect that either a firewall is blocking that >> port. If you have one running try shutting it down for a few >> minutes while you try to start arm. >> >> Or maybe it is a permissions issue where arm is not running as >> the same user as tor. You could try starting arm as root to see >> if it would start. But, do not run arm as root full time. Only >> try to start it as a test. >> >> >> >> -- Manager of Bahia del Sol LLC >> >> >> ___ tor-relays >> mailing list tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> > ___ tor-relays mailing > list tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > Dec 05 21:17:46.000 [notice] Your IP address seems to have changed > to 167.114.35.28 (METHOD=INTERFACE). Updating. Dec 05 21:17:46.000 > [notice] Our IP Address has changed from 142.4.217.95 to > 167.114.35.28; rebuilding descriptor (source: METHOD=INTERFACE). > Dec 05 21:18:42.000 [notice] Your IP address seems to have changed > to 142.4.217.95 (METHOD=GETHOSTNAME HOSTNAME=ca3.pulseservers.com). > Updating. Dec 05 21:18:42.000 [notice] Our IP Address has changed > from 167.114.35.28 to 142.4.217.95; rebuilding descriptor (source: > METHOD=GETHOSTNAME HOSTNAME=ca3.pulseservers.com). Dec 05 > 21:18:43.000 [notice] Self-testing indicates your ORPort is > reachable from the outside. Excellent. Publishing server > descriptor. Dec 05 21:38:37.000 [warn] Your server > (142.4.217.95:9030) has not managed to confirm that its DirPort is > reachable. Please check your firewalls, ports, address, /etc/hosts > file, etc. Dec 05 21:58:37.000 [warn] Your server > (142.4.217.95:9030) has not managed to confirm that its DirPort is > reachable. Please check your firewalls, ports, address, /etc/hosts > file, etc. I've gotten this far, not being much good at networking I can't tell where the problem lies.. do I need to forward something? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJWYzh6AAoJEJQqkaGlFNDPCeYIAJln5C5Z+7n69zcoW1/RdUxi iduyKB/lnXc1Be190dSsHikjXVWv2hYvbnwvn3RuGOAft29WHd/OJi+GK9qBAB57 qdL+sl4PvlJVlWYH8hDK65FHqmZ85UYRX0nP5KsvRLbzKlNiX1rGSJPfpVSeOlK8 2bvSG/b4+Y4ZqmlxmLyJW5eJnMMzOHJdTf/OgUefnqic5KB1BLXygFi566lYYNMC d8R8RObw8Rez/9H4+cKXcbNfnN2Yh0RMwpHF8nqpU8D292kO+Koz/xhfsu9VXRfe DBKhCSfKdDJBNiP0zI13Y1OB5tq4SG0sKhhGCCavW+3oelT2ujyTBgB4xAyszkY= =U+4y -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Unbelieveable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/5/2015 3:20 PM, Sean Greenslade wrote: >>> Dec 05 21:17:46.000 [notice] Your IP address seems to have >>> changed to 167.114.35.28 (METHOD=INTERFACE). Updating. Dec 05 >>> 21:17:46.000 [notice] Our IP Address has changed from >>> 142.4.217.95 to 167.114.35.28; rebuilding descriptor (source: >>> METHOD=INTERFACE). Dec 05 21:18:42.000 [notice] Your IP address >>> seems to have changed to 142.4.217.95 (METHOD=GETHOSTNAME >>> HOSTNAME=ca3.pulseservers.com). Updating. Dec 05 21:18:42.000 >>> [notice] Our IP Address has changed from 167.114.35.28 to >>> 142.4.217.95; rebuilding descriptor (source: METHOD=GETHOSTNAME >>> HOSTNAME=ca3.pulseservers.com). Dec 05 21:18:43.000 [notice] >>> Self-testing indicates your ORPort is reachable from the >>> outside. Excellent. Publishing server descriptor. Dec 05 >>> 21:38:37.000 [warn] Your server (142.4.217.95:9030) has not >>> managed to confirm that its DirPort is reachable. Please check >>> your firewalls, ports, address, /etc/hosts file, etc. Dec 05 >>> 21:58:37.000 [warn] Your server (142.4.217.95:9030) has not >>> managed to confirm that its DirPort is reachable. Please check >>> your firewalls, ports, address, /etc/hosts file, etc. >> I've gotten this far, not being much good at networking I can't >> tell where the problem lies.. do I need to forward something? > Check your firewall, and gateway port forwards if the server is > behind a NAT. If you're not sure where to start, post the output of > "sudo iptables -L" > > --Sean ___ tor-relays > mailing list tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > I've made several iptables and saved them, I thought, however every time I reboot the VPS all my rules are gone. ~$ sudo iptables -L > Chain INPUT (policy ACCEPT) target prot opt source > destination > > Chain FORWARD (policy ACCEPT) target prot opt source > destination > > Chain OUTPUT (policy ACCEPT) target prot opt source > destination but: cat /etc/iptables.rules # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 *raw :PREROUTING ACCEPT [2424:210831] :OUTPUT ACCEPT [1856:540218] COMMIT # Completed on Fri Dec 4 04:30:56 2015 # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 *nat :PREROUTING ACCEPT [229:8057] :POSTROUTING ACCEPT [86:5885] :OUTPUT ACCEPT [86:5885] COMMIT # Completed on Fri Dec 4 04:30:56 2015 # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 *mangle :PREROUTING ACCEPT [2424:210831] :INPUT ACCEPT [2424:210831] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1856:540218] :POSTROUTING ACCEPT [1856:540218] COMMIT # Completed on Fri Dec 4 04:30:56 2015 # Generated by iptables-save v1.4.21 on Fri Dec 4 04:30:56 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [581:184073] - -A INPUT -i lo -j ACCEPT - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 9052 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 9051 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT - -A INPUT -j DROP COMMIT # Completed on Fri Dec 4 04:30:56 2015 > 3:/etc/network$ cat interfaces # This configuration file is > auto-generated. # # WARNING: Do not edit this file, your changes > will be lost. # Please create/edit /etc/network/interfaces.head > and # /etc/network/interfaces.tail instead, their contents will be > # inserted at the beginning and at the end of this file, > respectively. # # NOTE: it is NOT guaranteed that the contents of > /etc/network/interfaces.tail # will be at the very end of this > file. # > > # Auto generated lo interface auto lo iface lo inet loopback > > # Auto generated venet0 interface auto venet0 iface venet0 inet > manual up ifconfig venet0 up up ifconfig venet0 127.0.0.2 up route > add default dev venet0 down route del default dev venet0 down > ifconfig venet0 down > > > iface venet0 inet6 manual up route -A inet6 add default dev venet0 > down route -A inet6 del default dev venet0 > > auto venet0:0 iface venet0:0 inet static address 167.114.35.28 > netmask 255.255.255.255 > cat sysctl.conf > # Uncomment the next line to enable packet forwarding for IPv4 > net.ipv4.ip_forward=1 > > # Uncomment the next line to enable packet forwarding for IPv6 # > Enabling this option disables Stateless Address Autoconfiguration # > based on Router Advertisements for this host > net.ipv6.conf.all.forwarding=1 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJWY4QyAAoJEJQqkaGlFNDPpiEH/jpcbG8GurVjOsSDneOQvKU3 o9cY536TmP2J8+t+JgTfG5KVm/lL1jzBT6/NE62xkWMPrrrdRGx4mLLJJ+AKjTdJ t+89gBgBdtBfaWtGu29XcgXh/wbWB9EDMZgkKi2iSh9CEVMC5uTZKPXtzslUl6Rk
Re: [tor-relays] Unbelieveable
Just build new torrc, that fixed my issue. cd /etc/tor/ cp torrc torrc.bak touch torrc Use this for torrc (nano torrc), replace some info to match your relay http://0bin.net/paste/tdUuzTHwZI-BRWQy#JPmufzd+g0W0cx0WyB4g0iU12jU0WFpZRWtKVg6iDbS When you are done: sevice tor restart Then, sudo -u debian-tor arm I use screen session for this. On 5 December 2015 at 20:18, Kurt Besigwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 12/4/2015 8:25 PM, Damian Johnson wrote: > > For what it's worth process permissions aren't at play here. Arm > > is failing to talk with the control port - permissions could cause > > us to be unable to read the authentication cookie, but that would > > be a different message. > > > > Cheers! -Damian > > > > > > On Fri, Dec 4, 2015 at 5:36 PM, Manager Bahia del Sol LLC > > wrote: > >> > >> No worries, > >> > >> Are you sure the user or group is debian_tor? The default is > >> debian-tor in Ubuntu. > >> > >> If that isn't the problem, > >> > >> First I would be sure tor is actually running. top or top -u > >> debian-tor The second will show if tor is actually running as the > >> user you think it is. > >> > >> If it is, then see if it is listening on the control port sudo > >> netstat -ntlp | grep LISTEN > >> > >> If it is I would suspect that either a firewall is blocking that > >> port. If you have one running try shutting it down for a few > >> minutes while you try to start arm. > >> > >> Or maybe it is a permissions issue where arm is not running as > >> the same user as tor. You could try starting arm as root to see > >> if it would start. But, do not run arm as root full time. Only > >> try to start it as a test. > >> > >> > >> > >> -- Manager of Bahia del Sol LLC > >> > >> > >> ___ tor-relays > >> mailing list tor-relays@lists.torproject.org > >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > >> > > ___ tor-relays mailing > > list tor-relays@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > > Dec 05 21:17:46.000 [notice] Your IP address seems to have changed > > to 167.114.35.28 (METHOD=INTERFACE). Updating. Dec 05 21:17:46.000 > > [notice] Our IP Address has changed from 142.4.217.95 to > > 167.114.35.28; rebuilding descriptor (source: METHOD=INTERFACE). > > Dec 05 21:18:42.000 [notice] Your IP address seems to have changed > > to 142.4.217.95 (METHOD=GETHOSTNAME HOSTNAME=ca3.pulseservers.com). > > Updating. Dec 05 21:18:42.000 [notice] Our IP Address has changed > > from 167.114.35.28 to 142.4.217.95; rebuilding descriptor (source: > > METHOD=GETHOSTNAME HOSTNAME=ca3.pulseservers.com). Dec 05 > > 21:18:43.000 [notice] Self-testing indicates your ORPort is > > reachable from the outside. Excellent. Publishing server > > descriptor. Dec 05 21:38:37.000 [warn] Your server > > (142.4.217.95:9030) has not managed to confirm that its DirPort is > > reachable. Please check your firewalls, ports, address, /etc/hosts > > file, etc. Dec 05 21:58:37.000 [warn] Your server > > (142.4.217.95:9030) has not managed to confirm that its DirPort is > > reachable. Please check your firewalls, ports, address, /etc/hosts > > file, etc. > I've gotten this far, not being much good at networking I can't tell > where the problem lies.. do I need to forward something? > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.22 (MingW32) > > iQEcBAEBAgAGBQJWYzh6AAoJEJQqkaGlFNDPCeYIAJln5C5Z+7n69zcoW1/RdUxi > iduyKB/lnXc1Be190dSsHikjXVWv2hYvbnwvn3RuGOAft29WHd/OJi+GK9qBAB57 > qdL+sl4PvlJVlWYH8hDK65FHqmZ85UYRX0nP5KsvRLbzKlNiX1rGSJPfpVSeOlK8 > 2bvSG/b4+Y4ZqmlxmLyJW5eJnMMzOHJdTf/OgUefnqic5KB1BLXygFi566lYYNMC > d8R8RObw8Rez/9H4+cKXcbNfnN2Yh0RMwpHF8nqpU8D292kO+Koz/xhfsu9VXRfe > DBKhCSfKdDJBNiP0zI13Y1OB5tq4SG0sKhhGCCavW+3oelT2ujyTBgB4xAyszkY= > =U+4y > -END PGP SIGNATURE- > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -- http://www.backbox.org http://www.pentester.iz.rs ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays