The crisis in the Ukraine triggert me to run a Tor exit relay.
But my motivation is much bigger (and few inches in size): the Stasi
observation files about my parents - few hundred pages.
In contrast the ridiculous 9 (almost blackened) pages about me (here).
Freedom needs free press.
Free press needs whistle-blowing.
Whiste-blowing needs anonymity.
Anonymity is provided by Tor.
The current ranking is given here.
Few more stats of the Tor relay are seen at
break in attempts, DDoS and more
A breakin attempt using the BOINC client happened at 6th of Nov 2014.
And here're few DDoS examples from the past:
27th of April 2015 (>300 MBit/s),
20th of Nov 2015 (34 MBit/s, more),
30th of Jan 2016 (>500 MBit/s),
20th of March 2016 (>900 MBit/s, values),
13th of Jun 2016 (>65 MBit/s),
7th of Jun 2016 (>275 MBit/s),
21th of Jul 2016 (>180 MBit/s, values and graph),
22th of Jul 2016 (>250 Kpck/s, graph, ticket),
I followed the Tor Exit Guidelines,
especially the Reduced Exit Policy.
OS is a hardened Gentoo Linux
minimal linux kernel config, no modules, no USB (reason)
/tmp is a tmpfs,
swap is encrypted
network: static ip address
dnsmasq is used to have DNSSEC,
configured using this wiki:
incoming ports except
- install dnsmasq
- remove all
nameserver= entries from
- add all nameservers of your own ISP (and no other, this paper explains the reason) as lines like
- activate DNSSEC (look for
- start dnsmasq
- verify name resolution, eg.:
$> dig com. any +dnssec
ORPort are closed
sshd listens at a non-default port, no password login, no root login,
force elliptic-curve algorithm for key exchange
weekly cron job (since logjam):
openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
homepage is legal-checked (contact, impressum and disclaimer)
I wrote for my own purpose these helper scripts.
"Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.
back to my home page