Tor server


why

The trigger for me to provide a Tor exit relay was the crisis in the Ukraine in 2014.

But my motivation is much bigger (and few inches in size): the Stasi observation files about my parents.

Finally I'm convinced that freedom needs whistle blowing. And the later isn't possible w/o anonymity.

BTW the Stasi file about myself is very small, just few pages. Here's the scan.

status

The status of my relay is provided at atlas and torstatus. The Tor project provides a lot of other metrics, eg. about the network or relays. I wrote for my own purpose few helper scripts here available.

A breakin attempt using the BOINC client happened at 6th of Nov 2014. And here're few DDoS examples from the past:

27th of April 2015 (>300 MBit/s), 20th of Nov 2015 (34 MBit/s, more), 30th of Jan 2016 (>500 MBit/s), 20th of March 2016 (>900 MBit/s, values), 13th of Jun 2016 (>65 MBit/s), 7th of Jun 2016 (>275 MBit/s), 21th of Jul 2016 (>180 MBit/s, values and graph), 22th of Jul 2016 (>250 Kpck/s, graph, ticket), ...

my setup

  • I followed the Tor Exit Guidelines, especially the Reduced Exit Policy.
  • OS is a 64 bit hardened Gentoo Linux (PAX + Grsecurity)
  • minimal linux kernel configuration (eg.: no USB), no modules
  • /tmp is a tmpfs, swap is encrypted
  • network: static ip address, dnsmasq is used as a local DNS cache, configured following this wiki for DNSSEC:
    1. install dnsmasq
    2. remove all nameserver= entries from /etc/resolv.conf except nameserver=127.0.0.1
    3. edit /etc/dnsmasq.conf:
      • add all nameservers of your ISP (and no externals if this paper is right) as server=ip-address
      • set cache-size=10000
      • activate DNSSEC (look for conf-file=, dnssec and dnssec-check-unsigned)
    4. start dnsmasq
    5. verify name resolution, eg.: $> dig com. any +dnssec
  • incoming ports except ssh, DirPort and ORPort are closed, DDoS handling (for IPv6 replace 32 with 128):
          -A INPUT -p tcp --destination-port  80 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
          -A INPUT -p tcp --destination-port 443 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
        
  • sshd listens at a non-default port, no password login, no root login, force elliptic-curve algorithm for key exchange ( KexAlgorithms curve25519-sha256@libssh.org in /etc/ssh/sshd_config )
  • weekly cron job (since logjam): openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
  • provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
  • homepage is legal-checked (contact, impressum and disclaimer)

  • "Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.

    back to my home page