No, this isn't necessary. Just the ports configured in your torrc.
On Sun, Dec 28, 2014 at 5:12 AM, rush23@gmx.net wrote:
Hello guys,
well I'm new to the tor-project supporting it now by running my first tor exit node since 23th Dec'14 :) For security purpose I configured iptable and exitpolicy rules as advised by the tor-manuals recognizing that there's a mass of attempts on incoming Dport 8118 wondering if I should permit or stil leave it denied!? My little search on that port reveals that this is gonna used by several socks proxies for instance privoxy anyway is it required for my running exit node??
thanks;) tor-proxy-relayX supporter
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https://<some IP address> Infection: URL:Mal [sic] Process: ... \tor.exe
When I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits.
Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here?
Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic.
Thanks for any enlightenment - eliaz
On Mon, Jan 5, 2015 at 2:30 AM, eliaz eliaz@riseup.net wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https://<some IP address> Infection: URL:Mal [sic] Process: ... \tor.exeWhen I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits.
Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here?
Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic.
Thanks for any enlightenment - eliaz
Since the internet is known to be an infected wasteland, and exits are known to MITM your streams, I'd suggest either compartmentalizing all your surfing in a disposable VM (which should probably be done anyways), or excluding web traffic from your scanner.
Additionally, if you are able to isolate and confirm that a specific exit is MITM'ing you (vs the "malware/virus" being on the original clearnet site itself) feel free to post its fingerprint here so that the workers can double check and dirauths can give it the bad exit flag.
Unfortunately Tor doesn't have simple logging format that you can watch in real time alongside your scanner. I'm finishing a spec ticket for that soon though.
Some thing to take in to account as well is that some AVs are known to flag Tor as a virus, I would say that maybe it's a possibility that traffic gets flagged as such too? I've never used an antivirus, let alone one that does traffic inspection so obviously this is conjecture on my part.
As an example, when I helped a friend set-up Tor Browser on his Windows machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week.
-- Kura
t: @kuramanga [https://twitter.com/kuramanga] w: https://kura.io/ [https://kura.io/] g: @kura [http://git.io/kura] On 05/01/2015 08:25:11, grarpamp grarpamp@gmail.com wrote: On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https:// Infection: URL:Mal [sic] Process: ... \tor.exe
When I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits.
Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here?
Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic.
Thanks for any enlightenment - eliaz
Since the internet is known to be an infected wasteland, and exits are known to MITM your streams, I'd suggest either compartmentalizing all your surfing in a disposable VM (which should probably be done anyways), or excluding web traffic from your scanner.
Additionally, if you are able to isolate and confirm that a specific exit is MITM'ing you (vs the "malware/virus" being on the original clearnet site itself) feel free to post its fingerprint here so that the workers can double check and dirauths can give it the bad exit flag.
Unfortunately Tor doesn't have simple logging format that you can watch in real time alongside your scanner. I'm finishing a spec ticket for that soon though. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Jan 5, 2015 at 3:33 AM, Kura kura@kura.io wrote:
I would say that maybe it's a possibility that traffic gets flagged as such too? ... antivirus [...] one that does traffic inspection
Oh, well that could be too. Tor traffic is crypted/obfuscated and thus could generate a random hit that AV points at the Tor binary as responsible for.
But the OP is getting URL's from AV so it may be watching his localhost SOCKS for http streams.
What's weird is OP's "Object" is https://, which is not terminated to plaintext anywhere but in the browser or tor.
Perhaps not enough info.
machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week.
Gratuitous listing by AVG perhaps?
On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https:// Infection: URL:Mal [sic] Process: ... \tor.exe
On 05/01/2015 08:59:41, grarpamp grarpamp@gmail.com wrote: On Mon, Jan 5, 2015 at 3:33 AM, Kura wrote:
I would say that maybe it's a possibility that traffic gets flagged as such too? ... antivirus [...] one that does traffic inspection
Oh, well that could be too. Tor traffic is crypted/obfuscated and thus could generate a random hit that AV points at the Tor binary as responsible for.
But the OP is getting URL's from AV so it may be watching his localhost SOCKS for http streams.
What's weird is OP's "Object" is https://, which is not terminated to plaintext anywhere but in the browser or tor.
Perhaps not enough info. Kura: Indeed. I'm not exactly sure how or why that would be the case but, I thought my recent experiences with Tor on Windows might at least shed another piece of light on how AVs sometimes treat Tor. May be related, may be totally unrelated.
From the error, you would expect the AV to be picking out content it deems as dangerous from the final response, i.e. the destination after the exit but, that seems a little odd to me, unless the AV consistently lists the same page as having a virus.
machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week.
Gratuitous listing by AVG perhaps? Kura: Quite possibly. AV companies are odd with how they treat certain things. Keygen programs on Windows are another big thing that they used to flag even if they were not dangerous at all.
On a semi-related note, I run a fair number of exit and middle/guard relays that I can guarantee do not try to do anything naughty to content, feel free to test your Tor against them to see if you still get the same virus warnings, OP.
On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https:// Infection: URL:Mal [sic] Process: ... \tor.exe
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Jan 5, 2015 at 4:11 AM, Kura kura@kura.io wrote:
On a semi-related note, I run a fair number of exit and middle/guard relays that I can guarantee do not try to do anything naughty to content, feel free to test your Tor against them to see if you still get the same virus warnings, OP.
I prefer the ones that replace all advertisements with kittens. And mine just sniff for passwords so don't use them ;)
grarpamp:
On Mon, Jan 5, 2015 at 3:33 AM, Kura kura@kura.io wrote:
I would say that maybe it's a possibility that traffic gets flagged as such too? ... antivirus [...] one that does traffic inspection
Oh, well that could be too. Tor traffic is crypted/obfuscated and thus could generate a random hit that AV points at the Tor binary as responsible for.
But the OP is getting URL's from AV so it may be watching his localhost SOCKS for http streams.
This may perhaps help: Running the bridge I regularly get:
[Warning] Rejecting SOCKS request for anonymous connection to private address [scrubbed]. [1 similar message(s) suppressed in last 300 seconds]
I can't unscrub these msgs (SafeLogging doesn't seem to work for tor 4.0.2 and standalone vidalia.) I haven't been able to track down the processes involved. Since they're private, I assume they're broadcasts & so ignore them. There some conversations about this on one of the lists some time ago, and the advice was to ignore.
What's weird is OP's "Object" is https://, which is not terminated to plaintext anywhere but in the browser or tor.
Perhaps not enough info.
machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week.
Gratuitous listing by AVG perhaps?
On Mon, Jan 5, 2015 at 2:30 AM, eliaz wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https:// Infection: URL:Mal [sic] Process: ... \tor.exe
On Mon, Jan 5, 2015 at 11:15 AM, eliaz eliaz@riseup.net wrote:
processes involved. Since they're private, I assume they're broadcasts &
Private are RFC1918. Broadcasts are 255.255.255.255 or the subnet based versions of same.
grarpamp:
On Mon, Jan 5, 2015 at 11:15 AM, eliaz eliaz@riseup.net wrote:
processes involved. Since they're private, I assume they're broadcasts &
Private are RFC1918. Broadcasts are 255.255.255.255 or the subnet based versions of same.
\
Thanks! I'll check out the RFC. - eliaz
Kura:
Some thing to take in to account as well is that some AVs are known to flag Tor as a virus, I would say that maybe it's a possibility that traffic gets flagged as such too? I've never used an antivirus, let alone one that does traffic inspection so obviously this is conjecture on my part.
Are you referring to tor client operation as well as bridge operation? I run my tor client on a box that I use as needed, and the bridge on a separate 24/7 box.
As an example, when I helped a friend set-up Tor Browser on his Windows machine, AVG reported that tor.exe was a possible virus and removed it, this also happened when we tested the Tor Vidalia bundle. This was simply a filesystem check though, rather than packet/traffic inspection. It was also very recent, within the last week.
Even on the as-needed box I run the client under tor. I've never gotten these alerts when running the client. - eliaz
grarpamp:
On Mon, Jan 5, 2015 at 2:30 AM, eliaz eliaz@riseup.net wrote:
The antivirus program on a machine running a bridge occasionally reports like so:
Object: https://<some IP address> Infection: URL:Mal [sic] Process: ... \tor.exeWhen I track down the addresses I find they are tor nodes (sometimes bridges, sometimes guards, sometimes exits.
Are the flagged nodes in some ways miss-configured, or can I consider these to be false positives? Is there anything to worry about here?
Detail: The tor and standalone vidalia folders have been flagged as exceptions (i.e. excluded) in the virus scanner. The scanner's web module is picking up the IP addresses from the port traffic.
Thanks for any enlightenment - eliaz
Since the internet is known to be an infected wasteland, and exits are known to MITM your streams,
Do you mean my streams in particular or all streams?
I'd suggest either compartmentalizing all your surfing in a disposable VM (which should probably be done anyways), or excluding web traffic from your scanner.
I run in a dedicated low-power box on my LAN, to save electricity. Is that as good as a VM?
I've got VMs on the other machine, which is a power hog & not run continuously.
Additionally, if you are able to isolate and confirm that a specific exit is MITM'ing you (vs the "malware/virus" being on the original clearnet site itself) feel free to post its fingerprint here so that the workers can double check and dirauths can give it the bad exit flag.
I don't know how to confirm that exits are MITMs. I can post the FPs of the ones that show up, though. So far all the alerts lead me to recognizable nodes that show up OK in Atlas, etc.
Unfortunately Tor doesn't have simple logging format that you can watch in real time alongside your scanner. I'm finishing a spec ticket for that soon though.
The alerts appear randomly at intervals of several days. The AV program alert is via a popup, which I can get later by asking the AV to show last popup. I guess I should get up to speed in wireshark, but it's gonna result in a monster file by the time it catches anything. Thanks for writing up the spec, I'll try to follow the conversation. - eliaz
On Mon, Jan 5, 2015 at 10:36 AM, eliaz eliaz@riseup.net wrote:
Do you mean my streams in particular or all streams?
Unless you're passing identifiable info over http, the exit wouldn't have data to target anyone. All streams are possible.
I run in a dedicated low-power box on my LAN, to save electricity. Is that as good as a VM?
Whichever way you like. If you've got all sorts of virii/malware going on in an environment of exposure you wouldn't want your regular personal files or activities exposed to that.
I don't know how to confirm that exits are MITMs. I can post the FPs of
Turn off TBB, Tor, bridge, vidalia, socks, everything about tor. Browse to the same place/url you got an alert with normal Firefox over clearnet See if you get an alert.
the ones that show up, though. So far all the alerts lead me to recognizable nodes that show up OK in Atlas, etc.
Others have not reporting 'all these alerts' and exits "several days". If you wanted to you could post the name and version of your "AV program" and your OS version. And the full text of one of these alerts (if it's not sensitive to you) and the exit FP.
last popup. I guess I should get up to speed in wireshark, but it's gonna result in a monster file by the time it catches anything.
Put this in your filter tcp[13] | 24 != 24 && tcp[13] | 16 != 16
grarpamp:
I run in a dedicated low-power box on my LAN, to save electricity. Is that as good as a VM?
Whichever way you like. If you've got all sorts of virii/malware going on in an environment of exposure you wouldn't want your regular personal files or activities exposed to that.
All my connections/boxes/firewalls are OK, generally get very few alert s
I don't know how to confirm that exits are MITMs. I can post the FPs of
Turn off TBB, Tor, bridge, vidalia, socks, everything about tor. Browse to the same place/url you got an alert with normal Firefox over clearnet See if you get an alert.
the ones that show up, though. So far all the alerts lead me to recognizable nodes that show up OK in Atlas, etc.
My mistake. One IP address can't be found in Atlas or Globe. See below.
Others have not reporting 'all these alerts' and exits "several days". If you wanted to you could post the name and version of your "AV program" and your OS version. And the full text of one of these alerts (if it's not sensitive to you) and the exit FP.
I've gone back to my records. The .txt attachment gives what I'd gotten for three different IP addresses. I'm not panicked about this & don't expect anyone to put more time into my query. But the different results may interest someone. - eliaz
On Tue, Jan 6, 2015 at 5:34 AM, eliaz eliaz@riseup.net wrote:
for three different IP addresses. I'm not panicked about this & don't
Those IP's are exits, no idea why they're being called out by avg. What are the malware/virus id's, the same all the time, different?
Try a unix like freebsd or linux someday, tends to be more secure anyway.
grarpamp:
On Tue, Jan 6, 2015 at 5:34 AM, eliaz eliaz@riseup.net wrote:
for three different IP addresses. I'm not panicked about this & don't
Those IP's are exits, no idea why they're being called out by avg. What are the malware/virus id's, the same all the time, different?
They're the same, referring only to the Gateway firewall. I'm beginning to think that it's only these three nodes that trigger alerts. Just out of curiosity I'll track things more systematically over the next few weeks. Since ther seems to be no real threat, we may as well end this thread. Thanks to you & the other respondents, you've been helpful.
Try a unix like freebsd or linux someday, tends to be more secure anyway.
Since you suggest that :). I do have Debian running as a VM, but on the 100W machine. The 13W-machine's CPU (Intel Atom 2550) won't accept GUI linux, & I haven't had time to look for & try a command-line distro. As long as the relay is running 100% of the time I'm reluctant to change things. I'm pretty confident that the windows configurations are malware proof. But yeah, by & bye when I get the time... - eliaz
tor-relays@lists.torproject.org
-
eliaz -
eric gisse -
grarpamp -
Kura -
rush23@gmx.net