Tor server


why

Freedom needs free press. Free press needs whistle blowing. Whisteblowing needs anonymity. Anonymity is provided by Tor.

But my motivation is much bigger (and few inches in size): the Stasi observation files about my parents. Here's the ridiculous small Stasi file about me.

status

Few numbers of the Tor relay are provided at atlas and by nusenu.

break in, DDoS and more

A breakin attempt using the BOINC client happened at 6th of Nov 2014. And here're few DDoS examples from the past:
27th of April 2015 (>300 MBit/s), 20th of Nov 2015 (34 MBit/s, more), 30th of Jan 2016 (>500 MBit/s), 20th of March 2016 (>900 MBit/s, values), 13th of Jun 2016 (>65 MBit/s), 7th of Jun 2016 (>275 MBit/s), 21th of Jul 2016 (>180 MBit/s, values and graph), 22th of Jul 2016 (>250 Kpck/s, graph, ticket), ...

my setup

  • I followed the Tor Exit Guidelines, especially the Reduced Exit Policy.
  • OS is a hardened Gentoo Linux
  • minimal linux kernel config, no modules, no USB (reason)
  • /tmp is a tmpfs, swap is encrypted
  • network: static ip address, for DNSSEC dnsmasq is used, configured using this wiki:
    1. install dnsmasq
    2. remove all nameserver= entries from /etc/resolv.conf except nameserver=127.0.0.1
    3. edit /etc/dnsmasq.conf:
      • add all nameservers of your ISP (and no externals if this paper is right) as server=ip-address
      • set cache-size=10000
      • activate DNSSEC (look for conf-file=, dnssec and dnssec-check-unsigned)
    4. start dnsmasq
    5. verify name resolution, eg.: $> dig com. any +dnssec
  • incoming ports except ssh, DirPort and ORPort are closed, DDoS handling (for IPv6 replace mask 32 with mask 128):
          -A INPUT -p tcp --destination-port  80 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
          -A INPUT -p tcp --destination-port 443 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
        
  • sshd listens at a non-default port, no password login, no root login, force elliptic-curve algorithm for key exchange ( KexAlgorithms curve25519-sha256@libssh.org in /etc/ssh/sshd_config )
  • weekly cron job (since logjam): openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
  • provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
  • homepage is legal-checked (contact, impressum and disclaimer)
  • I wrote for my own purpose these helper scripts.

  • "Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.

    back to my home page