tor-relays October 2016

tor-relays@lists.torproject.org

101 participants
61 discussions

IP address change
by balbea16 24 Oct '16

24 Oct '16

Hi There My ISP changes my IP address about every 24 hours. It takes 10 minutes until my tor server recognises this, and an hour until all usual connections are reestablished. How can I speed this up? Does it help to use a DNS? To pay for a static address is not an option. Any ideas? Thank you. Mike

2 1

numtcpsock prevents relay from working properly.
by Nils Erik Flick 24 Oct '16

24 Oct '16

Hi, I am experiencing trouble with a new VPS relay. https://atlas.torproject.org/#details/41F07731207742860D43AC426FBAE2F3947BD… It spontaneously acquired an advertised bandwidth of 2.67MB/s but then started to sputter. Failing because we have 1314 connections already ... Specifically, looking at /proc/user_beancounters numtcpsock is the culprit, which is limited to 1360 (some other processes are using the remaining sockets). This artificial limit causes new connections to fail even though send/receive buffers or CPU usage are well below critical. The value can't be changed from inside the OpenVZ container. That's a pity because traffic appears to be unmetered and a lot of potential is wasted this way. I understand that there is currently no way to limit this inside the Tor process because every relay needs to be ready to connect to every other relay at any time. So I tried to get its consensus weight down. Gradually lowering the MaxAdvertisedBandwidth to 300k caused it to briefly acquire the "Stable" flag and run into trouble again. That's no better than a home connection. Worse, in fact, because the problem persists. I'm curious, is this a common experience? Asking customer service would mean explicitly drawing attention to the fact that I'm trying to use the cheap plan to run Tor nodes. That's completely against my instincts. On the other hand they *did* offer a free-form box in the registration form. Has anyone tried and if so, to any avail? Is there a workaround I'm missing? iptables can be configured freely, but I don't see how that would help. At this point I'll probably call it a day, try elsewhere and set this one up as a bridge instead. Frankly I was a bit surprised that technical snags like this aren't generally mentioned in relay setup guides or FAQs. For all I know, it may be common knowledge among expert sysadmins that OpenVZ should be shunned or whatever, but to someone with little prior experience as a user of commercial hosting, some of these limitations come as a surprise. In a bout of post factum searching, I only found this discussion https://serverfault.com/questions/698845/debian-limit-number-of-tcp-sockets… IMHO this kind of knowledge should be spread more "pro-actively", which is why I'm posting this on a public list. Peace, Erik

2 3

Linux kernel vulnerability
by I 24 Oct '16

24 Oct '16

Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel http://dirtycow.ninja/

9 14

CentOS 7 Packages
by Alice . 23 Oct '16

23 Oct '16

Hi, I have one relay on CentOS 6 and one on CentOS 7. The one running CentOS 7 hasn't had the 0.2.8.8 update yet and so is still running 0.2.8.7. The one running CentOS 6 has had the latest update. Is there a problem with getting CentOS 7 packages out? How much of a problem is this? Both now and in the future? Thanks Alice

2 1

Recommendation for DUMB COMPUTING devices for Tor Relays
by Dan Michaels 21 Oct '16

21 Oct '16

The Tor Project website recommends various security setups for people running Tor relays. Such as, don't run a web browser on the same machine as your Tor relay, otherwise the browser could get hacked, and then if Tor relays are hacked, it compromises the entire concept of Tor. In the age of FBI mass hacking, the FBI will attempt to hack all Tor relays, and thus, they can trace traffic throughout the entire proxy chain. According to NSA documents, all it takes is "one page load" to infect a browser, because they re-direct you to a fake website that hosts browser exploits, known as QUANTUM INSERT. The FBI will use this to take over all Tor relays that are running web browsers. So, I have a suggestion that I would like Tor Project to recommend. Tor Project needs to tell people.. use DUMB COMPUTING devices for running Tor relays. If your computer gets hacked, it can be deeply exploited in the firmware, such as BIOS, GPU, WiFi chip, etc. There are devices on the market, such as Raspberry Pi, or similar, which have NO WRITABLE FIRMWARE. This is known as being "stateless". It does not "hold state" across reboots. All firmware/drivers are stored on the SD card on the Raspberry Pi, and only loaded in on boot time. No component on the entire Pi holds state. NONE. There will likely be other similar devices. Therefore, it is truly possible to wipe a dumb computing device completely clean. If you try to wipe a regular laptop or desktop, you may have all this deeply infected firmware, such as BIOS, so you keep getting re-infected upon startup. Some people say, once deeply infected, it's near-impossible to clean it out, and you should just throw away your entire laptop and start again. Everyone running a Tor relay should be told to use a DUMB COMPUTING DEVICE. Another advantage is that these devices are often very cheap. Raspberry Pi is very cheap to buy. Other devices may be even cheaper. The instructions should be as follows... (1) Wipe your device clean, i.e. wipe clean the SD card which holds the OS + all firmware/drivers. (2) Then, re-install the OS clean, install Tor, and set up the relay. (3) Tor should be installed from the command line or from a previously-downloaded version on USB stick. Do not install Tor using the web browser, otherwise you could get infected. (4) Do not run anything else on the machine, other than the Tor relay. Using other programs, especially the web browser, could compromise the entire machine. And that's it. Tor Project should send out a message telling all people running Tor relays to follow these instructions. Let me know what you think.

8 7

relay lost most of its consensus weight
by jensm1 19 Oct '16

19 Oct '16

Hi, I just realised that my relay 'itwasntme' lost most of its consensus weight yesterday morning. The relay is only three weeks old, but it was finally picking up some traffic, which now is gone again. What could be the cause for this? Is there a problem with my relay or configuration? Thanks for your help! https://atlas.torproject.org/#details/F46C312E279185364F46EA06C58F792528091…

4 11

assign_to_cpuworker failed. Ignoring.
by Felix 19 Oct '16

19 Oct '16

Thanks for picking up. > It would help us to know if it's just FreeBSD, or just LibreSSL. It's both LibreSSL on FreeBSD 10.1. Same setup worked fine since months through serveral versions of Tor (2.6.x and 2.7.x) and LibreSSL (2.2.x until today). > Maybe mention the bug number on tor-talk, so that poster can provide more details? Might be. -- Felix

2 1

Re: [tor-relays] You dont love me anymore :(
by Tristan 18 Oct '16

18 Oct '16

Like David said, they just had the wrong IP, and it happened to be yours. In a world where computers outnumber people, even a single incorrect digit can have unintended side effects. Glad you got it fixed so quickly! On Oct 18, 2016 1:36 PM, "Markus Koch" <niftybunny(a)googlemail.com> wrote: Just solved but thank you very much for helping me out. It was confusing without end because this server was up for 10 months and high traffic. Markus 2016-10-18 20:30 GMT+02:00 Tristan <supersluether(a)gmail.com>: > According to this page: > https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays > > Looks like you need to get in touch work bad-relays(a)lists.torproject.org > > What's strange is that the bad relay team should have contacted you before > making a decision. > > > On Oct 18, 2016 1:23 PM, "Markus Koch" <niftybunny(a)googlemail.com> wrote: >> >> Thank you very much. How do I dispute this? >> >> >> 2016-10-18 20:20 GMT+02:00 Tristan <supersluether(a)gmail.com>: >> > I don't know why or how, but you've got the BadExit flag from moria1: >> > https://consensus-health.torproject.org/consensus-health.html >> > >> > >> > On Oct 18, 2016 1:16 PM, "Markus Koch" <niftybunny(a)googlemail.com> >> > wrote: >> >> >> >> This is a guard/middle and should be good ... >> >> >> >> >> >> >> >> https://atlas.torproject.org/#details/B771AA877687F88E6F1CA5354756DF 6C8A7B6B24 >> >> >> >> and I have never ever seen this before. >> >> >> >> Markus >> >> >> >> >> >> 2016-10-18 20:13 GMT+02:00 Tristan <supersluether(a)gmail.com>: >> >> > I've seen 404s from time to time, but this is new. Did you get a bad >> >> > relay >> >> > flag somehow??? >> >> > >> >> > >> >> > On Oct 18, 2016 1:12 PM, "Markus Koch" <niftybunny(a)googlemail.com> >> >> > wrote: >> >> >> >> >> >> 20:08:18 [WARN] Received http status code 404 ("Not found") from >> >> >> server '86.59.21.38:80' while fetching >> >> >> "/tor/keys/fp-sk/14C131DFC5C6F93646BE72FA1401C02A- >> >> >> 8DF2E8B4-692049A2E7868BE9933107A39B1CE0C7CBF1BF65". >> >> >> 20:06:18 [WARN] Received http status code 404 ("Not found") from >> >> >> server '194.109.206.212:80' while fetching >> >> >> "/tor/keys/fp-sk/14C131DFC5C6F93646BE72FA1401- >> >> >> C02A8DF2E8B4-692049A2E7868BE9933107A39B1CE0C7CBF1BF65". >> >> >> 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in >> >> >> this range.") response from dirserver '171.25.193.9:443'. Please >> >> >> correct. >> >> >> 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in >> >> >> this range.") response from dirserver '154.35.175.225:80'. Please >> >> >> correct. >> >> >> 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in >> >> >> this range.") response from dirserver '131.188.40.189:80'. Please >> >> >> correct. >> >> >> 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in >> >> >> this range.") response from dirserver '86.59.21.38:80'. Please >> >> >> correct. >> >> >> >> >> >> This is my niftypika server. This is animal abuse! Seriously, WTF is >> >> >> going wrong? >> >> >> >> >> >> Markus >> >> >> _______________________________________________ >> >> >> tor-relays mailing list >> >> >> tor-relays(a)lists.torproject.org >> >> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> >> > >> >> > >> >> > _______________________________________________ >> >> > tor-relays mailing list >> >> > tor-relays(a)lists.torproject.org >> >> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> >> > >> >> _______________________________________________ >> >> tor-relays mailing list >> >> tor-relays(a)lists.torproject.org >> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> > >> > >> > _______________________________________________ >> > tor-relays mailing list >> > tor-relays(a)lists.torproject.org >> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> > >> _______________________________________________ >> tor-relays mailing list >> tor-relays(a)lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > _______________________________________________ > tor-relays mailing list > tor-relays(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2 1

You dont love me anymore :(
by Markus Koch 18 Oct '16

18 Oct '16

20:08:18 [WARN] Received http status code 404 ("Not found") from server '86.59.21.38:80' while fetching "/tor/keys/fp-sk/14C131DFC5C6F93646BE72FA1401C02A- 8DF2E8B4-692049A2E7868BE9933107A39B1CE0C7CBF1BF65". 20:06:18 [WARN] Received http status code 404 ("Not found") from server '194.109.206.212:80' while fetching "/tor/keys/fp-sk/14C131DFC5C6F93646BE72FA1401- C02A8DF2E8B4-692049A2E7868BE9933107A39B1CE0C7CBF1BF65". 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '171.25.193.9:443'. Please correct. 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '154.35.175.225:80'. Please correct. 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '131.188.40.189:80'. Please correct. 20:05:18 [WARN] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '86.59.21.38:80'. Please correct. This is my niftypika server. This is animal abuse! Seriously, WTF is going wrong? Markus

4 9

Why do 40% of Tor exits uses 8.8.8.8 for DNS resolving ?
by Toralf Förster 18 Oct '16

18 Oct '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Reading [1] I do wonder about that. Why do Tor exit relay operators avoid installing a local resolver - or at least simple a cache as shown in [2] ? Adding different nameserver= lines to /etc/resolv.conf than 8.8.8.8 shouldn't be a big thing, or ? [1] https://nymity.ch/tor-dns/tor-dns.pdf [2] https://zwiebeltoralf.de/torserver.html - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- iHYEAREIAB4FAlgDW9QXHHRvcmFsZi5mb2Vyc3RlckBnbXguZGUACgkQxOrN3gB2 6U7l0AD9GolbdbnFmmDVACsdosxGC+bkD7czticuu0jTSQ5ObhYA/3aq74/N23bp D0mOLzfUmmDpiI2KXOSLvG/n8vrAgYlV =y46I -----END PGP SIGNATURE-----

11 25

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-relays October 2016