Tor server


why

The crisis in the Ukraine triggert me to run a Tor exit relay.
Freedom needs free press. Free press needs whistle-blowing. Whiste-blowing needs anonymity. Anonymity is provided by Tor.

But my motivation is much bigger (and few inches in size): the Stasi observation files about my parents - few hundred pages.

FWIW here're the ridiculous 9 (almost blackened) pages about me.

status

Few stats of the Tor relay are seen at atlas, its ranking is provided by nusenu.

break in attempts, DDoS and more

A breakin attempt using the BOINC client happened at 6th of Nov 2014. And here're few DDoS examples from the past:
27th of April 2015 (>300 MBit/s), 20th of Nov 2015 (34 MBit/s, more), 30th of Jan 2016 (>500 MBit/s), 20th of March 2016 (>900 MBit/s, values), 13th of Jun 2016 (>65 MBit/s), 7th of Jun 2016 (>275 MBit/s), 21th of Jul 2016 (>180 MBit/s, values and graph), 22th of Jul 2016 (>250 Kpck/s, graph, ticket), ...

my setup

  • I followed the Tor Exit Guidelines, especially the Reduced Exit Policy.
  • OS is a hardened Gentoo Linux
  • minimal linux kernel config, no modules, no USB (reason)
  • /tmp is a tmpfs, swap is encrypted
  • network: static ip address, for DNSSEC dnsmasq is used, configured using this wiki:
    1. install dnsmasq
    2. remove all nameserver= entries from /etc/resolv.conf except nameserver=127.0.0.1
    3. edit /etc/dnsmasq.conf:
      • add all nameservers of your ISP (and no externals if this paper is right) as server=ip-address
      • set cache-size=10000
      • activate DNSSEC (look for conf-file=, dnssec and dnssec-check-unsigned)
    4. start dnsmasq
    5. verify name resolution, eg.: $> dig com. any +dnssec
  • incoming ports except ssh, DirPort and ORPort are closed, simple DDoS prevention logic (for IPv6 replace mask 32 with mask 128):
          -A INPUT -p tcp --destination-port  80 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
          -A INPUT -p tcp --destination-port 443 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
        
  • sshd listens at a non-default port, no password login, no root login, force elliptic-curve algorithm for key exchange ( KexAlgorithms curve25519-sha256@libssh.org in /etc/ssh/sshd_config )
  • weekly cron job (since logjam): openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
  • provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
  • homepage is legal-checked (contact, impressum and disclaimer)
  • I wrote for my own purpose these helper scripts.

  • "Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.

    back to my home page