logs archiveIRC Archive / Oftc / #tor / 2010 / January / 11 / 1
pipe
Yo. I'm playing with setting up a tor exit node, and I wonder why it's not showing up as "Exit" in a list such as http://moria.seul.org:9032/tor/status/authority
Sebastian
Does it log that it tested reachability successfully?
pipe
Yep. "Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor."
Sebastian
How long ago was that?
pipe
My node shows up in the list, "piratpartietpwnz", but it's not listed as an exit node
About an hour
atagar
patience, it takes a while
pipe
Ah ok.
I had two ideas, one is that, as you say, it takes a while
The other because I'm only allowing connections to 4 ports
(web and mail, basically)
Sebastian
pipe: which ports exactly are you allowing?
pipe
80, 110, 143
         

atagar
others would know better but isn't providing email exits discouraged due to spam?
pipe
I thought it was port 25
Sebastian
pipe: to get the "Exit" flag, you need to exit to two of the three ports 80, 443, and 6667
pipe: your node will act like an exit even if you don't have the flag.
pipe
Sebastian: Thank you
I'll add 443
Sebastian
you should.
allowing 80, 110, 143 looks very suspicious
pipe
Well I only want ports I recognize
I'm a bit picky with the ports since last time I tried to be an exit node I got banned from IRC etc
Are there any other "safe" ports you know?
Sebastian
right. But you basically only allowed ports used by plaintext protocols by default. That's not so cool
22 should be good (ssh), 995 and 993
pipe
Well hm, I suppose I could check the ssl versions of pop3 and imap
Sebastian
that's 993 and 995.
pipe
And can you really use ssh over the tor network?
I'm thinking about the latency..
Sebastian
Sure
I've used ssh over hidden service before
pipe
nice
Sebastian
ssh remains very useable even with high latency
atagar
How stable was it? Did you need a screen session for persistence?
Sebastian
I used screen by default, think I lost connection once in a 3hour period
but that doesn't help much, because that's just luck. I think screen is definitely recommended.
pipe
There are quite many more times I wish I'd started a screen, than times that I wish I hadn't started a screen.. :)
Ok, now I've added some more nice ports that should be "safe", I'll come back if that didn't help.
Sebastian
great, thanks for running a relay :)
pipe
Let's see how long I have the guts to do it, I'm reading this at the moment: http://calumog.wordpress.com/2009/03/18/why-you-need-balls-of-steel-to-operate-a-tor-exit-node/
arma
pipe: see https://www.torproject.org/faq#ExitPolicies and the links it has, too
atagar
really depends on the ports - there's been discussions in the archives about which ports will cut down on abuse complaints
         

nsa
or: phobos committed revision 21391 (/projects/misc-sysadmin): add the onion-names, update captains log, update hostlist and namelist
atagar
also be aware that bandwidth might be an issue with some isps (got a nastygram from comcast for instance)
pipe
atagar: That's never a problem here in Sweden, fortunately
atagar
nice ;)
pipe
I even told my ISP that I need a lot of upstream bandwidth because I seed a lot of torrents :P
nsa
or: phobos committed revision 21392 (/website/trunk): switch to non-IM bundle for easy-download, update relay count.
or: phobos committed revision 21395 (/projects/misc-sysadmin): add the list of onion genus for hostnames, update the namelist to
or: reflect current state.
or: phobos committed revision 21396 (/website/trunk/en): switch to the non-pidgin tbb by default.
or: phobos committed revision 21397 (/website/trunk): update the relay count.
Piet
hi, is there a technical description of the 'bridges' concept?
i'm wondering how safe it is against MITM attacks
reading https://www.torproject.org/bridges.html.en so far only makes me think 'bridge' can actually be considered a synonym for 'proxy' or 'man in the middle' depending on how you look at it.
phobos
it's an unpublished non-exit relay
Piet
oh so you still enter the tor network on your own computer, it's not that it is just proxied to the bridge and enters the tor network there?
phobos
yes
your tor client talks to a bridge, as if it was an entry relay
Piet
ah sounds good then
arma
piet: if you learn about your bridge along with a fingerprint for it, you're as safe against mitm as for a normal relay
if you learn about it without a fingerprint, not quite so good. but still mostly fine i think.
Piet
still, if an attacker can make it so that s/he controls any bridges then they can determine who is connecting through bridges
arma
see bridges-spec.txt
Piet
arma: i can't find bridges-spec.txt in the stable nor unstable tarball
all i can find is this copy in google cache (since the webgit appears to be down or have moved) http://209.85.129.132/search?q=cache:p-Hkl5NXsnEJ:https://git.torproject.org/checkout/tor/master/doc/spec/bridges-spec.txt
arma
yep, that'll do
and, i'll fix the bug where we're failing to ship bridges-spec.txt. thanks.
phobos
what packages doesn't have it
arma
the tarball doesn't
piet: while you're using google cache, also ask it about blocking.pdf or blocking.html. that has even more info. :)
Piet
bridges-spec.txt refers to blocking.pdf, i'll have a look for it shortly
thanks for your help
regarding 2.2. of bridges-spec.txt, the issue with reachability/uptime monitoring of bridges ... it would be ideal if this could be shifted to the bridge users, i.e. those in censorship encumbered locations, since their availability testing would be most relevant.
arma
true.
want to figure out how to make that work? :)
Piet
i'm not really sure wether this can designed so that it would be safe from malicious input, though.
I don't understand the Tor protocol yet and doubt I ever will in this lifetime. So I'm probably not the right person to give this a go. ;-)
Sebastian
This isn't related to understanding Tor so much
Rather, you want to distribute bridge information so that people can test it, without leaking it
You want people who cannot reach Tor because it is blocked to report their failure to you
etc
Piet
if their clients would gather availability stats and, once they have setup a tor connection successfully, transfer those stats to the directories, this could help quite a bit
Sebastian
So the directory authorities get to learn all bridge users? That sounds bad
Piet
but if you had a large enough botnet running modified tor clients which report incorrect stats so that all bridges are considered unusable that would break it.
here's blocking.pdf http://docs.google.com/viewer?a=v&q=cache:9WdtYO2x1VYJ:https://git.torproject.org/checkout/tor/master/doc/design-paper/blocking.pdf
they'd connect to tor to transmit their stats of course
they'd connect through tor to transmit their stats of course
Sebastian
So how are their stats going to be useful if they don't include something like geoip info
Piet
So I read of blocking.pdf which relates to bridges. It seems like the attack scenario and type of attack I was thinking of is not mentioned there, but I may have missed it.
If the attacker is already happy to just identify IP addresses of Tor users in a given area and then sends their buddies to beat these people up, the easiest thing the attacker can do is to become a bridge relay and have a network monitor running and grep for inbound connections from IP addresses in the given network range.
jr__
fiy
yup
arma
piet: true. but in practice, nobody gets beaten up for being a tor user. as a security person, yes, it's a concern to think about. but the reality is that it isn't a worry in most places.
Piet
It doesn't seem like there are any safeguards against this type of attack. But then, I guess TCP/IP doesn't allow for preventing this in general.
jr__
you can have the bridge in a different jurisdiction, but that doesn't help protect against an attacker monitoring connections
arma
if it *is* a worry, then get somebody you trust to set up the bridge you use.
Piet
jr__: it doesn't help against the attacker running that bridge either
arma
piet: if you think that's a concern, you should also have the concern for tor users that don't use bridges.
Piet
right, that's what i was thinking, too
and i am a bit concerned, but have no stats on whether or not this is an issue
you say it's not, or not currently, or not known to be rather, so that is somewhat good news.
but then if you have a really weird regime this kind of stuff is quite imaginable
i could imagine it to happen in .CN for example
arma
yeah, but it doesn't, in china.
nsa
or: nickm committed revision 21398 (/projects/todo): update iocp status even more
arma
nickm: hm, no or-cvs mail.
nickm
Sebastian said it would come from nickm@torproject.org when it came from me. Is he not allowed to send to or-cvs?
arma
nickm: he is allowed.
(Action) eyes the spamassassin process with 45 seconds of cpu time
keb
did someone update/fix the spamassassin 2010 bug
arma
http://archives.seul.org/or/cvs/Jan-2010/msg00021.html
that's a start
Piet
the bug is not in spamassassin, it is in 2010 ;-)
Weems
why would tor not be able to establish an encrypted directory connection?
keb
firewall blocking or openssl error are 2 possibilities
jr__
what os?
Weems
7
firewall is possible but how do I discover which error it is?
keb
there should be a tor log file with some clues in it
Weems
in the tor directory?
keb
depends which package did you install
Weems
vidalia bundle
arma
vidalia has a 'message log' window
Weems
ok
in program files or AppData folder?
keb
the vidalia application has a menu item that opens its message log window
if you right click on the green onion icon it should show up
arma
or the yellow onion icon, in your case :)
keb
the vidalia icon might be in the lower right corner system tray
oh yeah
arma
or double-click on it, you'll get the control panel, choose 'message log'
Weems
arma
perhaps you have a local firewall up that prevents outgoing connections from the tor process.
keb
could be an antivirus/security software
hmm Windows 7 shows up as major 6 minor 1. would Vista be 6.0 ?
Weems
no
well
I dont know
but I am on 7
tor log: http://pastie.org/773214
keb
norton, mcafee, kaspersky, trendmicro, panda, bitdefender etc may require you to explicitly authorize Tor.exe to make outgoing connections
dr|z3d
Any firewall with outgress prompting will likely ask.
keb
but if you miss the prompt, you have to go into the program and find the blockage
arma
Jan 10 23:02:58.577 [Info] TLS error: <syscall error while handshaking> (errno=10053: Software caused connection abort [WSAECONNABORTED ])
that's definitely something fishy happening on the client end. a software firewall of some sort.
keb
Weems : are you normally able to connect to HTTPS (SSL) sites with your browser? e.g. the Tor website
Weems
well I got it to connect.... somehow
it just randomly went green
I didnt do anything :d
well arma: im not running a software firewall
i am on a campus network which uses websense and blocks ports like bittorrent, and I have had some trouble on irc with dcc sends
jr__
heh
maybe you need a bridge
keb
sounds like tor found a way out
Adam44
Hello. Is the communication channel encrypted between a Tor exit node and a hidden service provider? Thank you.
misc
Adam44: well, a exit node is not used when using a hidden service
( well, not as a exit node per se )
Goldstein
does it matter what hardware u run a tor relay on in terms of performance?
Adam44
misc: Thanks for your answer. It seems I have a misconception about hidden services. Is it correct to say, though, the whole communication channel between a Tor client and a hidden service provider is encrypted?
misc
Adam44: yes
Adam44
misc: Thank you. Something else, I'd like to get help about. The FAQ 3.17. mention that an application should use SOCKS 4a and not SOCKS 4 or 5 to reach a hidden service. In Firefox, the TorButton selects SOCKS 5 and it seems to work fine (there's no SOCKS 4a anyway). Is this an appropriate setting?
pipe
yes
SOCKS5 can do lookups as well
Adam44
Might the FAQ be not up to date then?
pipe
No
It's been able to do this forever
Goldstein
does it matter what hardware u run a tor relay on in terms of performance?
pipe
Goldstein: Of course, it always does
Goldstein: You need to encrypt and decrypt all the traffic, but that doesn't take *that* much CPU, really
Goldstein
a celeron with 2gb ram ok?
pipe
depends on your network bandwidth
misc
depend on the network you want to serve and what part of the ressources you want to allocate to tor, but this should be fine
Goldstein
2 tb/month
pipe
Hm, maybe
misc
well, how much kb/sec
pipe
That's quite fast
750 kbyte/s
I woldn't be so sure that the celeron could do that.. but it might.
misc
i have RelayBandwidthRate 550 KBytes
on a 600 mhz pIII
pipe
heh ok
misc
and cpu is at 50/60 %
mhh no, it look like more at 30% after properly reading htop output
Goldstein
how many relays offer more than 1Mb/s?
pipe
I do, but I suppose you meant that as megabyte, not megabit?
Goldstein
whichever
what hosting co do you use?
pipe: what hosting co do you use?
pipe
Goldstein: Just a normal home isp
I have 24/10 megabit at home
Goldstein
how much does that cost?
is that common in .se?
pipe
Yeah, it's common
Hm, I don't know what I pay :D, it's not more than 400 SEK
per month
Google can translate that to whatever currency you like
Goldstein
what is se?
pipe
Sweden
« prev 1 2 next »