Tor server


why

The crisis in the Ukraine triggert me to run a Tor exit relay.

But my motivation is much bigger (and few inches in size): the Stasi observation files about my parents - few hundred pages.
In contrast the ridiculous 9 (almost blackened) pages about me (here).

My opinion: Freedom needs free press. Free press needs whistle-blowing. Whiste-blowing needs anonymity. Anonymity is provided by Tor.

status

The status of the Tor relay is seen at atlas. All exit families are ranked here.

DDoS and more

An unusual behavior a BOINC client was involved too happened at 6th of Nov 2014. And here're few DDoS examples from the past:
27th of April 2015 (>300 MBit/s), 20th of Nov 2015 (34 MBit/s, more), 30th of Jan 2016 (>500 MBit/s), 20th of March 2016 (>900 MBit/s, values), 13th of Jun 2016 (>65 MBit/s), 7th of Jun 2016 (>275 MBit/s), 21th of Jul 2016 (>180 MBit/s, values and graph), 22th of Jul 2016 (>250 Kpck/s, graph, ticket), ...

my setup

  • I followed the Tor Exit Guidelines, especially the Reduced Exit Policy.
  • OS is a hardened Gentoo Linux
  • minimal linux kernel config, no modules, no USB (reason)
  • /tmp is a tmpfs, swap is encrypted
  • network: static ip address
  • dnsmasq is used to have DNSSEC, configured using this wiki:
    1. install dnsmasq
    2. remove all nameserver= entries from /etc/resolv.conf except nameserver=127.0.0.1
    3. edit /etc/dnsmasq.conf:
      • add all nameservers of your own ISP (and no other, this paper explains the reason) as lines like server=ip-address
      • set cache-size=10000
      • activate DNSSEC (look for conf-file=, dnssec and dnssec-check-unsigned)
    4. start dnsmasq
    5. verify name resolution, eg.: $> dig com. any +dnssec
  • incoming ports except ssh, DirPort and ORPort are closed
  • sshd listens at a non-default port, no password login, no root login, force elliptic-curve algorithm for key exchange ( KexAlgorithms curve25519-sha256@libssh.org in /etc/ssh/sshd_config )
  • weekly cron job (since logjam): openssl dhparam -out /etc/ssl/private/dhparams.pem 2048 2>/dev/null
  • provided a Tor exit notice both at the ipv4 and ipv6 address of the relay
  • homepage is legal-checked (contact, impressum and disclaimer)
  • I wrote for my own purpose these helper scripts.

  • "Tor" and the "Onion Logo" are registered trade marks of Torproject, Inc.

    back to my home page