Re: [tor-relays] Request for Feedback on Relay Node Update Management

On 3/26/24 09:54, Alessandro Greco via tor-relays wrote: Recently, I've noticed an interesting pattern with my relay node (ID: 47B72187844C00AA5D524415E52E3BE81E63056B [1]). I've followed TorProject's recommendations [2] and configured automatic updates, which has led to frequent restarts of

Re: [tor-relays] Tor is not upgrading via apt from deb.torproject.org

On 2/15/24 17:16, li...@for-privacy.net wrote: I let nightly's upgrade automatically, but not stable. Therefore I have the following config in /etc/apt/50unattended-upgrades Unattended-Upgrade::Origins-Pattern { ... // Update TorProject's nightly dev packages: (Suite & Codename:

Re: [tor-relays] bridges for Lox

On 2/27/24 21:14, boldsuck wrote: Gentoo & FreeBSD-Port Dev's and users are years ahead ;-) Whilst I'd agree on that my Tor bridges and Snowflakes do run under a recent Debian. However Tor et al are compiled from sources. [1] [2] [1]

Re: [tor-relays] bridges for Lox

On 2/27/24 16:38, boldsuck wrote: ORPort 127.0.0.1:14255 ORPort [::1]:14255 I do not specified the ipv6 port explicietly: SandBox 0 ORPort 127.0.0.1:auto AssumeReachable 1 ExtORPort auto ServerTransportPlugin obfs4 exec /usr/bin/lyrebird Would it be needed? -- Toralf

Re: [tor-relays] bridges for Lox

On 2/26/24 20:07, meskio wrote: Rdsys, the new bridgeDB, will not automatically assign bridges to Lox for now, but will instead accept bridges with the 'BridgeDistribution lox' configured in torrc. BTW by accident I configured "any" but restarted tor with "lox" 2 minutes later. Does that work?

Re: [tor-relays] bridges for Lox

On 2/26/24 20:07, meskio wrote: At the moment we're looking for 10 new bridges for Lox. 9 left -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recent Tor versions not reloading config on / ignoring HUP kill signal.

On 1/13/24 18:29, George Hartley via tor-relays wrote: Is anyone else experiencing this? Yes, https://gitlab.torproject.org/tpo/core/tor/-/issues/40749 -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] Relay question

On 12/8/23 04:19, Mulloch94 via tor-relays wrote: -A INPUT -j DROP HHm, what's about local traffic, e.g.: -A INPUT --in-interface lo -j ACCEPT or ICMP, e.g.: -A INPUT -p icmp -j ACCEPT To persist your firewall rules take a look at this doc [1] [1]

Re: [tor-relays] snowflake prometheus metrics listen address

On 10/3/23 10:24, Fran via tor-relays wrote: Any ideas? yes - DNAT the remote prometheus ip to the local address [1] [1] https://github.com/toralf/tor-relays/blob/main/playbooks/roles/setup-snowflake/tasks/firewall.yaml#L10 -- Toralf ___

[tor-relays] Grafana dashboards

Yesterday I stumbled together 2-3 dashboards [1] for Tor relay(s), Tor Snowflake(s) and the DDoS solution [2]. Feedback is welcome. [1] https://github.com/toralf/torutils/tree/main/dashboards [2] https://github.com/toralf/torutils/tree/main -- Toralf

Re: [tor-relays] Quick bugfix sharing regarding obfs4 malfunctioning

On 9/7/23 14:12, telekobold wrote: A bit research reveled that apparently, an automatic update set the systemd setting "NoNewPrivileges=no" in /lib/systemd/system/tor@default.service and tor@.service [1] back to yes, You probably need another entry too (grabed from [1]): [Service]

[tor-relays] short conntrack DDoS attack

Few days ago the throughput of my Tor relay went down to nearly zero for about 3 minutes. It turned out that the reason (maybe) was a change here in my iptables rules. Especially I switched these 2 lines: iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack

Re: [tor-relays] Help Turkmens to bypass Internet censorship: run an obfs4 bridge!

On 8/1/23 19:38, li...@for-privacy.net wrote: Yes ;-) cool - this simplifies my Ansible role (I randomly choosed an ORPort between 30K and 62K) Unfortunately, they come every 1-2 hours np - I'll ignore that Thx ! -- Toralf ___ tor-relays mailing

Re: [tor-relays] Help Turkmens to bypass Internet censorship: run an obfs4 bridge!

On 8/1/23 18:54, li...@for-privacy.net wrote: == Announcements == rdsys is ignoring the running flag now :) * To hide your bridge's ORPort: ORPort 127.0.0.1:auto AssumeReachable 1 I do assume I can ignore this log message ? : "Aug 01 17:18:19.000 [warn] The IPv4 ORPort address 127.0.0.1 does

Re: [tor-relays] (EVENT) Tor Relay Operator Meetup - June 24, 2023 @ 18.00 UTC

On 6/26/23 23:44, gus wrote: - Recommendation: Do not run snowflake proxy on the same IP as a relay/bridge. It's a good call to run it on a machine with public dynamic IP address. I setup 6 snowflakes as VPS with a fixed IP. After which time those IPs should be changed ? -- Toralf

[tor-relays] mulitply ipv6 bridge lines for a single bridge

Given that hosters of a VPS often gives a big /48, /56 or /64 ipv6 subnet to a VPS I do wonder if the BridgeLine for ipv6 could benefit from that? With ip6tables -t nat -I PREROUTING -p tcp -j DNAT --to-destination [obfs4 address] /usr/sbin/ip6tables-save > /etc/iptables/rules.v6 all

Re: [tor-relays] Help Turkmens to bypass Internet censorship: run an obfs4 bridge!

On 3/22/23 20:25, gus wrote: But here's the trick: you need to run it on a residential connection -- you won't need a static IPv4 --, So the local bridge reports its (eg at 4 o'clock in the morning changed) ip to the bridge db asap? And then ? -- Toralf

[tor-relays] export iptables metrics

I found the time and wrote a Bash script [1] to export iptables and ipset metrics to Prometheus/Grafana. It works at least with [2]. [1] https://github.com/toralf/torutils/blob/main/metrics.sh [2] https://github.com/toralf/torutils#readme -- Toralf

Re: [tor-relays] Too Many Connections

On 3/15/23 03:19, Jeff Teitel wrote: Conntrack.sh shows count: 65535. You can increase that size, look at [1] for an example. [1] https://github.com/toralf/torutils/blob/main/ipv4-rules.sh#L157 -- Toralf ___ tor-relays mailing list

Re: [tor-relays] RFC: does a private exit would work?

On 3/4/23 17:29, gus wrote: What's the goal? To have a private exit that only you can use? Indeed, similar goal as for private bridges. There is this very interesting paper and project called HebTor: https://dl.acm.org/doi/10.1145/3372297.3417245 Thx, so I have sth to read. -- Toralf

[tor-relays] RFC: does a private exit would work?

tl;dr; restricted access + usage of an exit longer: An exit is sooner or later abused. A reduced exit policy does not prevent that. What about setup a tor exit relay with 'PublishServerDescriptor = 0' ? Having an access line like for bridges would restrict the access. An alternative could

Re: [tor-relays] cannot keep my bridge up

On 12/20/22 15:27, Anonforpeace via tor-relays wrote: Dec 20 08:55:16 mxh-HP-Compaq-Pro-6300-SFF kernel: [137278.310446] audit: type=1400 audit(1671544516.974:36): apparmor="DENIED" operation="open" profile="system_tor" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=17728

Re: [tor-relays] How to reduce tor CPU load on a single bridge?

On 12/9/22 07:02, David Fifield wrote: But now there is rdsys and bridgestrap, which may have the ability to test the obfs4 port rather than the ORPort. I cannot say whether that removes the requirement to expose the ORPort. Would be a step toward to make scanning for bridges harder IMO, if

Re: [tor-relays] upcoming directory authority changes

On 12/6/22 19:44, Roger Dingledine wrote: But it seems like this role separation never quite matches up well to the security issues that arise in practice, whereas it definitely adds complexity both to the design and to operation. This piece of the design could use some new ideas. So the

Re: [tor-relays] upcoming directory authority changes

On 12/6/22 19:44, Roger Dingledine wrote: We could start by encouraging directory authority operators to participate in the monthly virtual relay operator meetups. I'd appreciate it. -- Toralf OpenPGP_signature Description: OpenPGP digital signature

Re: [tor-relays] preventing DDoS is more than just network filtering

On 11/8/22 10:57, Chris wrote: The main reason is that a simple SYN flood can quickly fill up your conntrack table and then legitimate packets are quietly dropped and you won't see any problems thinking everything is perfect with your server unless you dig into your system logs. Hhm, my system

[tor-relays] preventing DDoS is more than just network filtering

The graphs in [1] and [2] are IMO good examples related to [3]: "... in addition to network filtering, the (currently) sharp input signal ... is transformed into a smeared output response ... This shall make it harder for an attacker to gather infromation using time correlation techniques."

Re: [tor-relays] Performance issues/DoS from outgoing Exit connections

On 10/21/22 22:09, Alexander Dietrich wrote: This is still experimental, so if you decide to give the script a try, please keep an eye on it. IMO a "reload tor" is fully sufficient and should be preferrred over "restart", or ? Years ago I wrote a bash script, which created for an ip to be

Re: [tor-relays] security update for obfs4proxy

On 10/17/22 11:41, meskio wrote: Will be nice to add those fixes to the package. Maybe you can open two issues on the debian bugtracker for them. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021911. -- Toralf ___ tor-relays mailing list

Re: [tor-relays] security update for obfs4proxy

On 10/16/22 09:50, Toralf Förster wrote: After configuring the installation of the unattended_upgrade package to consider all packages [1] the new obfs4proxy was installed - but Tor was not restarted nor obfs4proxy reloaded. Isn't this a task for the software package ? And IMO the Debian

Re: [tor-relays] security update for obfs4proxy

On 10/14/22 11:28, meskio wrote: If you use debian you can find the Debian package in stable-backports: https://packages.debian.org/stable-backports/obfs4proxy After configuring the installation of the unattended_upgrade package to consider all packages [1] the new obfs4proxy was installed

Re: [tor-relays] security update for obfs4proxy

On 10/14/22 19:09, meskio wrote: The upstream changelog is here: https://gitlab.com/yawning/obfs4/-/blob/master/ChangeLog But I understand is not easy to understand what the problem is from that changelog. Indeed. BTW the fix was made 5 weeks ago, so I do assume, the (eg. Debian) package

Re: [tor-relays] security update for obfs4proxy

On 10/14/22 11:28, meskio wrote: The latest version of obfs4proxy (0.0.14) comes with an important security fix. Is there a Changelog available ? -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] Moving middle relays to bridges?

On 10/4/22 18:15, Isaac Grover, Aileron I.T. wrote: According to tor metrics, there have been nearly three times the number of relays as bridges over the last three months so I would like to move my handful of middle relays to bridges.  They will keep their same IP address.  Is there a best

Re: [tor-relays] many connections

On 10/3/22 12:26, Richie wrote: My apologies if its not the right place to ask. greetz Korrupt Every place is the right place for feedback, thx for yours ! I updated the readme [1] at the experimental branch and will merge it to main soon. Feel free to give additional feedback -and/or- make

Re: [tor-relays] many connections

On 9/30/22 17:57, Sandro Auerbach wrote: 30 minutes later still 22000 connections... Have you observed something similar? I reduced those spikes [1] by using certain iptables rules [2]. [1] https://github.com/toralf/torutils/blob/main/sysstat.svg [2] https://github.com/toralf/torutils --

[tor-relays] missing IPv6 close events

Playing with Python and Stem I wrote a script to monitor the ORStatus.CLOSED event reasons [1]. A helper script [2] gives statistics from those data. From the last 2 days I got: $> orstatus-stats.sh /tmp/orstatus.29051 CONNECTRESET 6197 CONNECTRESET 13214 DONE 18769 IOERROR 58

Re: [tor-relays] Relays spamming my OR port

On 8/18/22 22:10, li...@for-privacy.net wrote: IPv6 connections should better be limited to /48 subnets in the Tor protocol. Or /32 Limiting IPv6 to N connections per /64 will definitely affect relays of https://metrics.torproject.org/rs.html#search/2a0b:f4c2:2 Similar to their /24 IPv4

Re: [tor-relays] Relays spamming my OR port

On 8/18/22 21:31, li...@for-privacy.net wrote: If that's really the case, I can set up the ip|nftables rules much more strictly. Currently I do have it set to "3" [1], before it was 2, which seemed to work too. [1] https://github.com/toralf/torutils/blob/main/ipv4-rules.sh -- Toralf

Re: [tor-relays] Relays spamming my OR port

On 8/18/22 18:19, li...@for-privacy.net wrote: kantorkel's Article10 relays have more than 100 connections per IP to me. Those IPs mostly close with an error: $> grep -h " 185.220.101.*" /tmp/orstatus.*9051 | awk '{ print $1 }' | sort | uniq -c 341 CONNECTRESET 78 DONE 783

Re: [tor-relays] Relays spamming my OR port

On 8/18/22 18:19, li...@for-privacy.net wrote: 10, 20 or more users can have set up the circuits using the same relays. kantorkel's Article10 relays have more than 100 connections per IP to me. IMO there'se no 1:1 relation of circuits to TCP connections, or ? Doesn't 1 TCP connection between 2

Re: [tor-relays] Relays spamming my OR port

On 8/18/22 18:19, li...@for-privacy.net wrote: D767979FE4C99D310A46EC49037E9FE7E3F64E9D is a particularly frequent naughty boy. ;-) It is very, very unlikely that there is a naughty relay in AS680. That relay most likely does DNS-, BW- or network healing test in the Tor network.

Re: [tor-relays] Refuse Guard flag

On 8/2/22 20:58, Eldalië via tor-relays wrote: Recently I noticed that my ISP started to reset my IP a few hours after the node gets the Guard flag, The Guard flag is given after a more or less constant time (or?) - so I'd not see a conincidence here. -- Toralf

[tor-relays] An attempt to block spam ip addresses

Issue 40636 and others deal with DDoS / concurrent connections. Here're few numbers from my attempt [1] of the last days to block such ip addresses. The stats are from 2 relays running at the same ip. Currently there're 700 ip addresses (15 IPv6) caught in the denylist. Those either opened >4

Re: [tor-relays] relay memory leak?

On 7/25/22 19:56, David Goulet wrote: On Linux, we use /proc/meminfo (MemTotal line) and so whatever also max limit the kernel would put for that. Here both Tor relays do use about 4 GB each: $ pgrep tor | xargs -n 1 pmap | grep total total 4211476K total 4226580K whilst

Re: [tor-relays] relay memory leak?

On 7/25/22 14:48, David Goulet wrote: It is usually set around 75% of your total memory Is there's a max limit ? -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Relay Overloaded and Dropping Onionskins

On 7/20/22 23:34, bidulock_ringrose--- via tor-relays wrote: Side note: I am using Toralf's ddos-inbound script, which has not dropped any connections at all for me when using the -b then -s switch. In the mean while I try here for my 2 relays a different approach [1]. In the meanwhile I do

Re: [tor-relays] We're trying out guard-n-primary-guards-to-use=2

On 7/10/22 22:28, Logforme wrote: A week ago I implemented  connection limits per Toralf's post: iptables -A INPUT -p tcp --destination-port  443 -m connlimit --connlimit-mask 32 --connlimit-above 30 -j DROP This reduced the number of connections to about 1. I just now noticed that the 

Re: [tor-relays] Identifying a relay

On 6/15/22 20:17, Eddie wrote: I have been running the relay for almost 5 years without any previous flagging. There are block list providers which have Tor exit relays lists and sells those lists to their customers. Mayve they extend their algorithm to all Tor relays. Anyway, "Do not run a

Re: [tor-relays] Tor 0.4.7.7 Segmentation fault on Ubuntu 22.04 caused by "rseq"

On 5/7/22 05:56, Xiaoqi Chen (Danny) wrote: I temporarily mitigated the issue by turning off sandbox mode (remove "Sandbox 1" in torrc). Does anyone know how to properly resolve the crashing issue? usually by filing a bug here : https://gitlab.torproject.org/tpo/core/tor/-/issues/new ;) --

Re: [tor-relays] Debian is not allowing tor to update despite it being listed as a trusted respritory

On 5/3/22 07:31, Keifer Bly wrote: Err:15 https://deb.torproject.org/torproject.org amd64 Release Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 95.216.163.36

[tor-relays] comments, hints and tipps for an ansible role to deploy Tor bridges

I do appreciate those for my attempt here: https://github.com/toralf/tor-relays TIA -- Toralf OpenPGP_signature Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] update obfs4proxy if you run a bridge

On 3/21/22 18:45, meskio wrote: Thank you for running bridges, let me know if you need any help upgrading it. I'm not really familar with Debian and do wonder, what line I have to add to /etc/apt/apt.conf.d/50unattended-upgrades to get that automatically installed ? Maybe I need to add the

Re: [tor-relays] Connection burst

On 3/20/22 17:14, Felix wrote: They were kicked off by the packetfilter IMO it is a bad idea to filter Tor traffic. -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] Tor Relay Operator Meetup (Saturday, March 5th @ 2000 UTC)

On 3/14/22 09:19, Georg Koppen wrote: But, there is a lag between when a new bridge appears and when Russia starts blocking it. That lag is often a week or more these days. So, after a week the affected bridges can be stopped ? -- Toralf OpenPGP_signature Description: OpenPGP digital

Re: [tor-relays] Moving Bridges

On 3/8/22 19:48, Eddie wrote: as I'm certain that there's no way to "move" them to the new location Yes. And that's why I do wonder why you want to "continue" the stats ? -- Toralf OpenPGP_signature Description: OpenPGP digital signature ___

Re: [tor-relays] Ansible role to deploy Bridges

On 3/8/22 18:39, Erasme via tor-relays wrote: Thanks to the community, the Ansible role now supports more operating systems to deploy obfs4 bridges. - Debian 11 If bridges are added to the hosts of the inventory, then existing bridges are restarted at "-t install_all". What is the

Re: [tor-relays] snowflake incoming UDP ports

On 2/19/22 12:48, meskio wrote: If you have restricted NAT I would recommend you to open the UDP port range of 32768-60999. Thx, I opened those UDP ports for incoming UDP traffic. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt OT, but:

[tor-relays] snowflake incoming UDP ports

I do simply run here ~/devel/go/src/snowflake/proxy/proxy &>>/tmp/snowflake-proxy.log & and was wondering if I have to open special UDP inbound ports ? From the stats snowflake iseems to be working: 2022/02/18 19:29:59 In the last 1h0m0s, there are 13 connections. Traffic Relayed ↑ 192 MB, ↓

Re: [tor-relays] [Censorship in Russia] More of my bridges got blocked

On 12/29/21 18:45, Toralf Förster wrote: Said that you should set "PublishServerDescriptor 0" at bridges where you distribute the connection info yourself. Or maybe set it to BridgeDistribution none to have bridge stats at metrics.org. -- Toralf OpenPGP_signature D

Re: [tor-relays] [Censorship in Russia] More of my bridges got blocked

On 12/29/21 15:37, Space Oddity via tor-relays wrote: Also, I can not rule out that some step in my distribution chain was compromised -- I gave out these bridges privately to a few friends. IMO you should not mix private brtdges with those where you delegate the to distribute the connection

Re: [tor-relays] [Looking for feedback] An easier way to declare families

On 12/14/21 17:06, Nick Mathewson wrote: A relay operator has asked me, offline, if it is possible under this proposal for a relay to belong to more than one family.  (For example, if there were two relay operators who each operated some relays on their own, but also operated some relays

Re: [tor-relays] Compression bomb from dizum

On 11/6/21 10:39 PM, Logforme wrote: Got the following in my log today: Nov 06 18:19:01.000 [warn] Possible compression bomb; abandoning stream. Nov 06 18:19:01.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 45.66.33.45:80).

Re: [tor-relays] [Looking for feedback] An easier way to declare families

On 11/6/21 3:36 PM, Nick Mathewson wrote: Option 3 requires regular updates to all the relays in the family, which makes it cumbersome. Except for people who already have offline relay keys. For those it is just 1 additonal file to copy ;) -- Toralf OpenPGP_signature Description: OpenPGP

Re: [tor-relays] Dropped off consensus (0.4.4.5) - reason is Libressl 3.2.1 - 3.4.1 seems ok

On 10/23/21 12:41 AM, Felix wrote: Toralf, it would be super nice if you could check on your end, or somebody else can confirm? Hi, we here in Gentoo decided to stop supporting LibreSSL, so I cannot tell you if it would work here or not. -- Toralf

Re: [tor-relays] Overloaded state indicator on relay-search

On 9/23/21 3:39 PM, Silvia/Hiro wrote: Let us known how you find this new feature. It would be nice if even the search form would have that feature too. Currently here all is green: https://metrics.torproject.org/rs.html#search/zwiebeltoralf wherease the details of each of the 2 relays

Re: [tor-relays] Overloaded state indicator on relay-search

On 9/25/21 4:11 PM, Silvia/Hiro wrote: If it happens again there are two buttons at the end of the page where you can see the latest server and extra-info descriptors. Only, if the DirPort is (still) opened, or ? -- Toralf ___ tor-relays mailing list

Re: [tor-relays] New round of measuring the accuracy of Tor relays' advertised bandwidth

On 9/2/21 9:11 AM, Georg Koppen wrote: No. As far as it matters for the test those two relays are independent relays which each get tested as two random relays would get. Except, that both shares the same network card ... -- Toralf ___ tor-relays

Re: [tor-relays] New round of measuring the accuracy of Tor relays' advertised bandwidth

On 8/25/21 12:02 PM, Georg Koppen wrote: Hello! You might recall we ran two "speed tests" so far for investigating the accuracy of a relay's advertised bandwidth, one in 2021[1] and another one earlier this year[2]. I do run 2 relays at the same ip address. Do the tests consider that ? --

Re: [tor-relays] Move or Recreate

On 8/15/21 6:04 AM, Eddie wrote: I know how to maintain the keys for both relays and bridges for the replacements, but was wondering exactly what does that buy me, as both will now be running at different IPv4/6 addresses. As opposed to just blowing away the current ones and starting fresh 

Re: [tor-relays] Verify my Relay

On 6/24/21 1:59 AM, S1l3nt Hash wrote: Address xxx.xxx.xxx.xxx (static public ip) DirPort 9030 NoAdvertise DirPort xxx.xxx.xxx.xxx:9030 NoListen (static public ip) ORPort 9001 NoAdvertise ORPort xxx.xxx.xxx.xxx:9001 NoListen (static public ip) Hiding those IP addresses (and other *sensitive*)

Re: [tor-relays] Problem moving my Tor Bridge Relay

On 6/12/21 5:42 PM, Cor.ling wrote: Jun 12 15:13:59 PC tor[38309]: Jun 12 15:13:59.476 [warn] /var/lib/tor/keys is not owned by this user (debian-tor, 124) but by root (0). Perhaps you are running Tor as the wrong user? Jun 12 15:13:59 PC tor[38309]: Jun 12 15:13:59.476 [warn] Failed to

Re: [tor-relays] let's make ContactInfo mandatory for exits (and warn others)

On 4/24/21 9:21 PM, nusenu wrote: Hi Toralf, Toralf Förster: On 4/24/21 12:11 PM, nusenu wrote: * tor 0.4.7: no longer assign the exit flag to relays not having a ContactInfo (< 5 chars) in their descriptor. Log a warning for relay operators, I've opened 1-2 dozen ports - exc

Re: [tor-relays] let's make ContactInfo mandatory for exits (and warn others)

On 4/24/21 12:11 PM, nusenu wrote: * tor 0.4.7: no longer assign the exit flag to relays not having a ContactInfo (< 5 chars) in their descriptor. Log a warning for relay operators, I've opened 1-2 dozen ports - except 80 sand 443 at 2 relays. So I do not have the Exit flag.

Re: [tor-relays] how does one file a problem report?

On 4/24/21 7:18 AM, Scott Bennett wrote: I went through the process to get an account at gitlab.torproject.org in order to file a problem report for a very irksome and tiresome daily abort in tor 0.4.5.7 and 0.4.6.1-alpha under FreeBSD 11.4. However, I do not find anywhere on that web

Re: [tor-relays] OS Upgrade

On 4/23/21 2:03 PM, Matt Traudt wrote: Keeping tor up to date, and the OS and all the other things installed on it up to date, is much more important than maintaining your flags. You'll get them back. IMO relays with a way too long uptime should get a penalty. -- Toralf

Re: [tor-relays] Questions about consensus votes

On 4/21/21 12:15 PM, Sebastian Hahn wrote: Moria applies its own criteria which differ from dir-spec. Its operator is testing future improvements to the Tor network and therefore frequently doesn't follow all the specs. bastet too, or ? -- Toralf

Re: [tor-relays] Fallback Directories - Upcoming Change

On 4/7/21 9:04 PM, David Goulet wrote: Over time, we will remove or add more relays at each minor release if the set of fallback directories not working reaches a 25% threshold or more. In the past a fallback dir volunteer committed himself to have address and port stable for 2 years. If a

Re: [tor-relays] syn flood iptables rule

On 2/22/21 3:27 PM, Toralf Förster wrote:  # DDoS  $IPT -A INPUT -p tcp -m state --state NEW -m recent --name synflood --set  $IPT -A INPUT -p tcp -m state --state NEW -m recent --name synflood --update --seconds 60 --hitcount 10 -j DROP just for the record: In the emanwhile I do think

Re: [tor-relays] ipv6 ORPort + DIRPort too ?

On 3/27/21 11:05 AM, Petrusko wrote: And I'm not sure if I can serve DIRPort on the ipv6 too ? If I understood it correctly a DirPort are no longer needed for latest Tor software version. So you should be fine with opened IPv4|6 ORports only. -- Toralf

Re: [tor-relays] is this valid bridge config

On 3/23/21 4:13 PM, gi vian wrote: ExitPolicy reject *:* IMO this is not needed -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] ECONNREFUSED

On 3/16/21 2:44 PM, tor wrote: However, the status page keeps saying I'm dysfunctional with a ECONNREFUSED: https://bridges.torproject.org/status?id=E120A0492F789F5367EAD84C64F92EE279018F98 Wasn't aware of

Re: [tor-relays] Bridge operator iat_mode setting

On 2/25/21 6:32 PM, niftybunny wrote: And why did I read about this the first time in a mailing list? +1 -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Bridge operator iat_mode setting

On 2/24/21 9:34 PM, William Kane wrote: Thank you for running obfs4 bridges with iat_mode != 0, only very few obfs4 bridges support the additional traffic obfuscation in both directions. SO why is this not the default? -- Toralf ___ tor-relays

Re: [tor-relays] Bridge operator iat_mode setting

On 2/24/21 9:34 PM, William Kane wrote: Thank you for running obfs4 bridges with iat_mode != 0, only very few obfs4 bridges support the additional traffic obfuscation in both directions. At my client I have iat_mode=2 set but I do wonder how to set that as default at a bridge? -- Toralf

Re: [tor-relays] syn flood iptables rule

On 2/22/21 7:29 PM, William Kane wrote: A hard limit of 9 might be a little too low - then again, a legit, unmodified tor binary would hold it's TCP connection established for as long as needed - Hhm, I'm really under the impression that even 5 or 4 should be enough. If a client connects more

Re: [tor-relays] syn flood iptables rule

On 2/22/21 7:44 PM, Stephen Mollett wrote: Have you tried adding "xt_recent.ip_list_tot=" to your kernel command line? That formula works for most module parameters when their module is built-in, I think. Stephen Yep, that works. Thx. -- Toralf

[tor-relays] syn flood iptables rule

The following 3 statements # Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them. $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # DDoS $IPT -A INPUT -p tcp -m state --state NEW -m recent --name synflood --set $IPT -A INPUT -p tcp -m state

Re: [tor-relays] anyone else getting sync floods from russia?

On 2/22/21 1:01 AM, li...@for-privacy.net wrote: Multiport example: # Up to 15 ports can be specified. A port range (port:port) counts as two ports. # Drop incoming connections which make more than 10 connection attempts upon ports x-y within 1 minute -A INPUT -p tcp -m multiport --dports xx:yy

Re: [tor-relays] anyone else getting sync floods from russia?

On 2/21/21 12:37 PM, niftybunny wrote: If I get say 2 connections from a single IP it would be blocked with iptables. Even much less looks unusal With this command watch -d -x bash -c 'ss --all --numeric --processes state syn-recv | sort -k 5 -n' I do see a handful of addresses

Re: [tor-relays] anyone else getting sync floods from russia?

On 2/20/21 12:29 PM, niftybunny wrote: We already changed the timers on the TCP connections and we have scripts running which are blocking IPs who will send us x connections. Right now they changed tactics and for me it looks like SYNC flood from datacenter IP ranges and a few 100 IPs

Re: [tor-relays] anyone else getting sync floods from russia?

On 2/20/21 2:25 AM, niftybunny wrote: https://i.imgur.com/nDbaXqH.png https://i.imgur.com/Y5259wW.png Yep, I do wonder if sth like netstat --tcp -n -4 | perl -wane ' BEGIN { $Hist=(); } { next unless (m/^tcp/); ($Remote) =

Re: [tor-relays] Huge increase in bridge connections

On 2/12/21 2:04 PM, Logforme wrote: Don't know if it's connected but my 2 guard relays jumped from the normal 2k clients to over 6k during a 24h period. https IMO it is uncommon. FWIW I observed a jump from 18K to 34K at 10th of February around 10:00 pm UTC, slowly decreasing now. -- Toralf

Re: [tor-relays] Is my relay broken? No stable, hsdir or guard flags

On 1/30/21 5:59 AM, Scott Bennett wrote: Or, as an alternative to the above proposal, newly awakened authorities' votes regarding time-dependent flags should be ignored by other authorities until the newly awakened have been awake at least, say, ten days? I do wonder if this helps if all

Re: [tor-relays] Server under attack according to my hoster

On 1/22/21 6:04 PM, lists.torproject@stein-io.de wrote: Today I received a notification that my server is "under attack" since my server got over the threshold of 300k packets/s. At the time of the mail it seems to be about 450k pps . I do run 2 Tor relays at 1 Hetzner host and do have

Re: [tor-relays] Introducing new bridge status page

On 1/11/21 9:03 PM, Philipp Winter wrote: FINGERPRINT is your bridge's fingerprint or its hashed fingerprint -- either works. for public bridges ;-) -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] OrNetStats: Operator Level Graphs added

On 1/9/21 9:38 PM, nusenu wrote: - change the scale on the y axis (vertical drag and drop) Maybe nitpicking but IMO It is irritating, that the 0% value (zero) of the left y-axis doesn't match the 0 GBit/s at the right y-axis (per default). -- Toralf OpenPGP_signature Description:

Re: [tor-relays] OrNetStats: Operator Level Graphs added

On 1/10/21 7:08 PM, li...@for-privacy.net wrote: I don't want to expect the average user to fish something obfuscated out of the string. Yes, I am old and conservative ;-) /me too - therefore I tend to not add detailed technical information about the relays. (BTW that doesn't work at all

Re: [tor-relays] OrNetStats: Operator Level Graphs added

On 1/9/21 9:38 PM, nusenu wrote: I've added new operator level pages with an interactive graph showing the aggregated guard/exit probability and advertised bandwidth over time across all relays for a given operator. cool idea, canthose graphs being linked from eg

[tor-relays] event.reasons for ORStatus.CLOSED

I wrote a small Pythons script [1] to catch the event.reasons for ORStatus.CLOSED. The output is something like this: orstatus.py --ctrlport 9051 DONE FAF3236D37B0B18D8438C46317940F642E296924 IOERROR 917A0A924DA50B46CD740924AB42B237A831E182 DONE

  1   2   3   4   >