Tor server


The crisis in the Ukraine triggert me to run a Tor exit relay.

But my motivation is much bigger (and few inches in size): the Stasi observation files about my parents - few hundred pages.
In contrast the ridiculous 9 (almost blackened) pages about me (here).

In general: Freedom needs free press. Free press needs whistle-blowing. Whiste-blowing needs anonymity. Anonymity is provided by Tor.


The current ranking is given here. Few more stats of the Tor relay are seen at atlas.

break in attempts, DDoS and more

A breakin attempt using the BOINC client happened at 6th of Nov 2014. And here're few DDoS examples from the past:
27th of April 2015 (>300 MBit/s), 20th of Nov 2015 (34 MBit/s, more), 30th of Jan 2016 (>500 MBit/s), 20th of March 2016 (>900 MBit/s, values), 13th of Jun 2016 (>65 MBit/s), 7th of Jun 2016 (>275 MBit/s), 21th of Jul 2016 (>180 MBit/s, values and graph), 22th of Jul 2016 (>250 Kpck/s, graph, ticket), ...

my setup

  • I followed the Tor Exit Guidelines, especially the Reduced Exit Policy.
  • OS is a hardened Gentoo Linux
  • minimal linux kernel config, no modules, no USB (reason)
  • /tmp is a tmpfs, swap is encrypted
  • network: static ip address
  • dnsmasq is used to have DNSSEC, configured using this wiki:
    1. install dnsmasq
    2. remove all nameserver= entries from /etc/resolv.conf except nameserver=
    3. edit /etc/dnsmasq.conf:
      • add all nameservers of your own ISP (and no other, this paper explains the reason) as lines like server=ip-address
      • set cache-size=10000
      • activate DNSSEC (look for conf-file=, dnssec and dnssec-check-unsigned)
    4. start dnsmasq
    5. verify name resolution, eg.: $> dig com. any +dnssec
  • incoming ports except ssh, DirPort and ORPort are closed, DDoS prevention (for IPv6 replace mask 32 with mask 128):
          -A INPUT -p tcp --destination-port  80 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
          -A INPUT -p tcp --destination-port 443 --match conntrack --ctstate NEW --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
  • sshd listens at a non-default port, no password login, no root login, force elliptic-curve algorithm for key exchange ( KexAlgorithms in /etc/ssh/sshd_config )
  • weekly cron job (since logjam): openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
  • provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
  • homepage is legal-checked (contact, impressum and disclaimer)
  • I wrote for my own purpose these helper scripts.

  • "Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.

    back to my home page