tor-relays February 2021

tor-relays@lists.torproject.org

43 participants
41 discussions

Tor on Rpi
by relay.jackash＠simplelogin.fr 09 Feb '21

09 Feb '21

Hello im running a tor relay on rpi 2 with version 0.4.2.7., on the Tor relay search i see my relay is outdated and flaged as not recomended, however on rpi i have tried update and upgrade many times and always get notification from apt that tor i already de newest version, also tried apt dist-upgrade but no luck. Any way to get the last version and get ride of not recomended flag from my relay? Thanks in advanced

2 1

Re: [tor-relays] Tor on Rpi (relay.jackash@simplelogin.fr)
by Patrice Bönig 08 Feb '21

08 Feb '21

Hi, I am also have a tor relay running, but on a RPI 4. No long time ago I stood at the same point as you are now. I than wrote me a skript, where it: 1. pulls the latest source 2. backs up the old data (identity) 3. compiles and installs tor 4. copies the old data on the new installation 5. adds tor to crontab 6. starts tor I think you must change some things to your need if you want to use it. If you want the script I can share it here, if it is allowed. If not I can send it to you via mail. regards Patrice > Hello > im running a tor relay on rpi 2 with version 0.4.2.7., on the? Tor relay search i see my relay is outdated and flaged as not recomended, however on rpi i have tried update and upgrade many times and always get notification from apt that tor i already de newest version, also tried apt dist-upgrade but no luck. > > Any way to get the last version and get ride of not recomended flag from my relay? >

1 0

Tor Time Logging
by Kathi 05 Feb '21

05 Feb '21

How do I change the time on my tor relay to local time? I'm not into the military/UTC thing at all. It's actually annoying for me. thanks for help!!

3 2

Possible (D)DoS attack on my relay michaelscott (47E1157F7DA6DF80EC00D745D73ACD7B0A380BCF)
by William Kane 04 Feb '21

04 Feb '21

Hi community, Unfortunately my otherwise stable tor guard relay has recently lost it's guard flag, once again, due to what I think is a new type of (D)DoS attack, either directly targeted towards my tor relay, or against some other relays inside the network, facilitated through my relay. It all started to go downhill one month ago, on January 10th of this year - the linux kernel OOM killer decided to reap the tor process, multiple times in a row - it was violating the MaxMemInQueues setting of 732MB, the optimal value according to tor - on a virtual machine with a dedicated CPU core (and sadly, a lack of hardware AES acceleration, but that's off topic, by completely sandboxing and isolating the tor process, and then disabling all mitigations offered by the linux kernel, I still managed to achieve a peak throughput of 10mb/s while keeping other users and processes safe and sound - this made the relay the fastest tor relay belonging to my AS.. sorry, just bragging ;-)) which has 1024 megabytes of physical ram, and a swap partition with a size of 512 megabytes (vm.swappiness initially was 90, I've changed it to 70). The first time this happened, it came out of nowhere, so I wasn't closely monitoring the metrics page of my relay - this led to a downtime of 3 days, then leading to the loss of the guard flag. Since then, traffic on my relay has been limited to traffic coming from other relays, it is now exclusively a middle-only relay - it did not recover from the attack, even though I managed to achieve longer consecutive uptimes by tweaking MaxMemInQueues, first down to 704, then 672, and now 640MB. The only log entry I ever saw before the tor process got reaped is the following one: Feb 04 12:47:08 *hostname_redacted* tor[224]: Feb 04 12:47:08.000 [warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [93409 similar message(s) suppressed in last 60 seconds] Feb 04 12:48:08 *hostname_redacted* tor[224]: Feb 04 12:48:08.000 [warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [42527 similar message(s) suppressed in last 60 seconds] As you can tell by the date, this was today - after 3 weeks and 1 day, this noon, the process got OOM-killed again - I instantly noticed it, logged into the machine, installed updates, updated my pacman mirrorlist, the usual stuff - then I rebooted the machine, only to log in 5 minutes later to see tor using 100% of CPU time, with the log file getting spammed by this error - it started only 3 seconds after the relay published it's descriptor. Clearly, this is some sort of targeted attack against either my relay or someone is abusing it to attack someone or something else inside or outside the tor network. I did read the recent information on attacks regarding DirAuth's, but apparently a fix has been deployed on all of them, and checking the bandwidth stats of some of them, it seems to be working, somewhat. I wonder if this is the culprit here, this machine has been running tor relays since 2014, and I never had these problems with it before - even without lowering MaxMemInQueues. To me, that's just further proof that this is a targeted attack using my relay and before you ask, I know some KVM hypervisors are oversold, but my hosting company stopped selling KVM machines with mechanical host HDD's a few years ago, so new customers can't be the reason for all of this. Is there anything I can do to make my relay as stable as possible until the attacker(s) stop(s) hammering my relay? This doesn't seem to get caught by the built-in DoS prevention, so I didn't try tweaking the associated config options. Maybe someone from the tor team has a patch I can try applying? I'm not completely up to date on the newest tor shenanigans and pitfalls, so maybe it has already been posted on this mailing list, but I don't feel like reading a bazillion messages. For the time being, MaxMemInQueues will stay at 640 megabytes, to (hopefully) at least keep the relay up and running, even though performance, for anyone unlucky enough to build a circuit through it, will be affected, severely (despite all this, I'm still pushing around 11TB/s of traffic a month, I just don't know how much of it is legitimate..) - it's my duty as a relay operator to guarantee for the safety and usability of my tor relay, so I'm very eager to find a solution for this. Unfortunately, this is a live relay, otherwise I would probably try developing my own solution for the problem (including publishing it / making a pull request), but in this case repeated downtimes and restarts, which would be necessary when working on the source code, is absolutely not an option as it would possibly disrupt hundreds, if not thousands of clients. If anyone could point me in a direction, I'd really appreciate it. Thank you, William

1 1

sig ver error and more
by tor 04 Feb '21

04 Feb '21

Hi All, So everything had been working for over a year. Am currently on tor 4.2.7, stretch. When I went to update, I got: The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 < http://deb.torproject.org/> deb.torproject.org archive signing key My deb.torproject.org--keyring is version 2018.08.06 Is this the latest version? In trying to update deb.torproject.org--keyring, it says I'm on the latest, In trying: sudo apt-key adv --recv-keys --keyserver keys.gnupg.net 74A941BA219EC810 I get: packet too large invalid packet no valid openpgp data found Maybe I used the wrong key in the above command? thoughts? -matt

1 0

Exit relay operators please help test #2667 branch
by Roger Dingledine 04 Feb '21

04 Feb '21

Hello friendly relay operators, Another day, another weird thing with the Tor network. This time we have some jerk bombing the directory authorities with directory fetches, and doing it via exits: https://lists.torproject.org/pipermail/network-health/2021-January/000661.h… The network is mostly holding together, but I wouldn't say it is pretty. One of the long-term fixes will be ticket #2667: https://gitlab.torproject.org/tpo/core/tor/-/issues/2667 where exit relays refuse to let users connect back into the Tor network. David and I made a branch this evening that implements #2667, and it could use some testing. If you're comfortable building your exit relay from a git branch, please do, and let us know how it goes. It is the "ticket2667" branch on either https://git.torproject.org/user/arma/tor or https://gitlab.torproject.org/arma/tor/ And if your relay is currently using 100% cpu and/or way more bandwidth than usual, you might be especially excited to try out this patch. :) When the defense triggers, you will see an info-level log line like "%s tried to connect back to a known relay address. Closing." (where %s is the destination, so don't get upset at them. :) You can let us know how it's going either by mail just to me, or by a reply on the list, whichever you prefer. Once we know that you're running the branch, we can also probe your relay remotely to verify that it is correctly refusing those connections. Thanks! --Roger

4 6

Sig ver error
by tor 03 Feb '21

03 Feb '21

Hi all, I'm getting a signature verification error: $ sudo apt-get update Hit:1 http://mirrordirector.raspbian.org/raspbian stretch InRelease Hit:2 http://archive.raspberrypi.org/debian jessie InRelease Get:3 https://deb.torproject.org/torproject.org stretch InRelease [3528 B] Err:3 https://deb.torproject.org/torproject.org stretch InRelease The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key Fetched 3528 B in 3s (998 B/s) Reading package lists... Done W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org/torproject.org stretch InRelease: The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key W: Failed to fetch https://deb.torproject.org/torproject.org/dists/stretch/InRelease The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 deb.torproject.org archive signing key W: Some index files failed to download. They have been ignored, or old ones used instead. Any thoughts would be appreciated. thanks, matt

3 2

Re: [tor-relays] tor-relays Digest, Vol 120, Issue 25
by Patrice Bönig 03 Feb '21

03 Feb '21

Am 03.02.2021 um 21:14 schrieb Patrice Bönig: > I am now compiling the new 0.4.4.7 version and by that I saw that the > entry of "systemd support (--enable-systemd)" is is "no". So I assume > that the systemd functionality is not on board, or am I wrong? > How do I enable for the compiling process? > > regards > Karl > > >> Permissions issue of /var/lib/tor / DataDirectory most likely, and >> Tor can't fix it itself since it's likely owned by root, however the >> systemd unit starts it under a separate user. 2021-01-22 12:03 GMT, >> Patrice B?nig <mailinglist(a)pboenig.de>: >>> Hi @ list, >>> >>> I am operating a relay for several years and I really do like it and >>> will do it for more years. >>> >>> My current relay residents on Pi 4. At first I installed it via apt but >>> now the 32 Bit sources are no longer available. So I thought I could >>> build the from source. >>> >>> The building process went well but now I have a problem with the user >>> permissions. I can't get tor really running. >>> >>> _My first attempt was:_ >>> >>> To start tor with "systemctl start tor". But tor won't start and " >>> journalctl -u tor" says only this: >>> >>> Jan 22 09:06:23 rpi4tor systemd[1]: Starting LSB: Starts The Onion >>> Router daemon >>> Jan 22 09:06:23 rpi4tor systemd[1]: Started LSB: Starts The Onion Router >>> daemon >>> Jan 22 09:08:32 rpi4tor systemd[1]: Stopping LSB: Starts The Onion >>> Router daemon >>> Jan 22 09:08:32 rpi4tor systemd[1]: tor.service: Succeeded. >>> Jan 22 09:08:32 rpi4tor systemd[1]: Stopped LSB: Starts The Onion Router >>> daemon >>> lines 1-6/6 (END)...skipping... >>> -- Logs begin at Thu 2019-02-14 11:11:59 CET, end at Fri 2021-01-22 >>> 11:54:47 CET. -- >>> Jan 22 09:06:23 rpi4tor systemd[1]: Starting LSB: Starts The Onion >>> Router daemon processes... >>> Jan 22 09:06:23 rpi4tor systemd[1]: Started LSB: Starts The Onion Router >>> daemon processes. >>> Jan 22 09:08:32 rpi4tor systemd[1]: Stopping LSB: Starts The Onion >>> Router daemon processes... >>> Jan 22 09:08:32 rpi4tor systemd[1]: tor.service: Succeeded. >>> Jan 22 09:08:32 rpi4tor systemd[1]: Stopped LSB: Starts The Onion Router >>> daemon processes. >>> >>> _My second attempt was:_ >>> >>> I changed the user of all tor files to the current user "pi". After that >>> I was able to start tor with "tor --quiet" as user "pi". All went fine >>> until I rebooted the system and all my changes to "pi" where changed to >>> "debian-tor". >>> >>> _My third attempt was:_ >>> >>> I did "sudo tor --quiet". It works, but in "notices.log" is the >>> information that I shouldn't do that. >>> >>> >>> So, now I am standing here and don't know what to do. I would like to >>> start tor via systemd but I don't know what's wrong (maybe the >>> permissions). Does someone has a hint for me? >>> >>> regards, >>> Karl >>> >>> >>>

1 0

Wildly Different BandWidth Numbers
by Eddie 03 Feb '21

03 Feb '21

Looking at the consensus health page for my relay D195E5CE8AE77BAC91673E6CFB7BD0AF57281646), I see wildly different values for bandwidth: bw=3060 bw=910 bw=340 bw=620 bw=5130 Why is there such a discrepancy. I'm guessing this has something to do with my relay bouncing in and out of Guard status on a regular basis (which I'm sure can't be a good thing). Is there anything I can do to maintain a consistent value, be it at one end of the scale or the other. Cheers.

2 1

Tor Version "Not Recommended" - V 4.2.7 - Raspberry PI - "armhf" not supported
by petrarca＠protonmail.ch 02 Feb '21

02 Feb '21

I noticed that my Relay got a "Not Recommended" Flag. It's running on version 4.2.7 currently. I checked a few things and this is poping up with a apt update on the Raspberry: N: Skipping acquire of configured file 'main/binary-armhf/Packages' as repository 'http://sdscoq7snqtznauu.onion/torproject.org buster InRelease' doesn't support architecture 'armhf' Did I do something wrong; any recommendations on how to fix this issue? Many thanks!

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-relays February 2021