Delivery-Date: Thu, 05 Jun 2014 20:43:37 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,URIBL_BLACK autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by moria.seul.org (Postfix) with ESMTPS id 9D9DA1E0A14
	for <archiver@seul.org>; Thu,  5 Jun 2014 20:43:35 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 781BD2F7FA;
	Fri,  6 Jun 2014 00:43:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 3AE432F8AC
 for <tor-talk@lists.torproject.org>; Fri,  6 Jun 2014 00:38:39 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PTkJdDBEBtS2 for <tor-talk@lists.torproject.org>;
 Fri,  6 Jun 2014 00:38:39 +0000 (UTC)
X-Greylist: delayed 468 seconds by postgrey-1.34 at eugeni;
 Fri, 06 Jun 2014 00:38:39 UTC
Received: from outbound.mailhostbox.com (outbound.mailhostbox.com
 [162.222.225.28])
 by eugeni.torproject.org (Postfix) with ESMTP id 106012F89C
 for <tor-talk@lists.torproject.org>; Fri,  6 Jun 2014 00:38:39 +0000 (UTC)
Received: from [0.0.0.0] (chomsky.torservers.net [77.247.181.162])
 (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: s7r@sky-ip.org)
 by outbound.mailhostbox.com (Postfix) with ESMTPSA id DBC2E86944F
 for <tor-talk@lists.torproject.org>; Fri,  6 Jun 2014 00:30:49 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org;
 s=20110108; t=1402014650;
 bh=8nx1ssitVUb8ktodOI2qecA9rIKTvtxZDx8NA/LMuFM=;
 h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:References:
 In-Reply-To:Content-Type:Content-Transfer-Encoding;
 b=ciyT4L8300vY7ZYrtHmOPn4zM85+Q+PvOaDLwNwGj5SEqeZNiTmKLKizlumYBGxQQ
 I5qrlcecIxTZUDzIJUFTuqQy2jtAR5CTH6/J90s/eTrYNqNwQQE+mS2VHspldt/7hu
 wHtud9X0E6oK3V80ywY+qeKNRKu+/7JCos7vXHqg=
Message-ID: <53910BB5.3090708@sky-ip.org>
Date: Fri, 06 Jun 2014 03:30:45 +0300
From: s7r <s7r@sky-ip.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <ff3e43bd5fc83768249ff735637fe35d.squirrel@fulvetta.riseup.net>
In-Reply-To: <ff3e43bd5fc83768249ff735637fe35d.squirrel@fulvetta.riseup.net>
X-Enigmail-Version: 1.6
X-CTCH-RefID: str=0001.0A020208.53910BB9.0082, ss=1, re=0.000, recu=0.000,
 reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules: 
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CTCH-SenderID: s7r@sky-ip.org
X-CTCH-SenderID-TotalMessages: 1
X-CTCH-SenderID-TotalSpam: 0
X-CTCH-SenderID-TotalSuspected: 0
X-CTCH-SenderID-TotalBulk: 0
X-CTCH-SenderID-TotalConfirmed: 0
X-CTCH-SenderID-TotalRecipients: 0
X-CTCH-SenderID-TotalVirus: 0
X-CTCH-SenderID-BlueWhiteFlag: 0
X-Scanned-By: MIMEDefang 2.72 on 172.18.214.93
Subject: Re: [tor-talk] Security concerns with running an exit relay
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/6/2014 2:57 AM, ondesmartenot@riseup.net wrote:
> Hello,
> 
> I am interested in running a Tor exit relay, and I have
> successfully set one up in the past, but I took it down because I
> realized that I do not have any clue how to protect myself if
> someone who sees lots of Tor traffic exiting from my IP address
> decides to attack my router or computer.
> 
> Can you point me to any documentation relating to maintaining your
> relay's security? I know that computer security is a large and
> complex problem, but just some basic information on likely threats
> and tips to protect against them would be much appreciated.
> 
> Thanks so much for making the internet awesome, Ondes
> 
> 
Hi,

Well there is nothing magic about it. Just run it as you would any
server, keep it maintained and up to date and of course don't easily
allow remote access to it so somebody can fish it at first mass scan.
Install the latest stable version including its dependencies and make
sure you run up to date versions for all you have installed on the server.

Make sure you use NTP to sync the time and have accurate time on your
server - Tor needs the right time, especially if you are a relay. A
good practice is to run ORPort on 443 and DirPort 80 for easy
connectivity, and include a DirPortFrontPage argument to point to a
html file which explains what Tor is and that the said IP is a Tor
exit router. You can find an example for this page if you google "this
is a tor exit router" and modify the content slightly according to
your needs.

If you are an exit relay it is recommended you run your own recursive
DNS resolver on localhost too (BIND). Use a DirPortFrontPage argument
in torrc

I suggest you don't run the relay on your computer. Find a reasonable
ISP and rent a server / virtual server, run it from there. If you
google "how to install tor <insert your operating system here>" you
will find plenty tutorials. Just edit the torrc file to act as a
relay. Provide a good contact email address, so people can contact you
and enter your exit policy. I would recommend you to block just port
25 SMTP, to prevent spam. But if you host you relay in a
torrent-unfriendly place, block higher ports also for p2p. But, p2p by
definition cannot be really permanently blocked (via destination:port)
no matter what.

If you find trouble in doing it or if you have any other questions
mail me.

- -- 
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJTkQu1AAoJEIN/pSyBJlsR2D4IAMG2kJIufiqmrfz8uCtHlEyV
PdmF26JEVn6JoR15lCxk60kvO30NQjlckcP/CACrj3MAvzO6Hsh+GVg30+pFxF5A
YARyQpwkho6fb95vsCQCkCKsC8Dm9WFuq8IUyRbi3vE4lV4LcCy79oSchmEmQVNM
4Fdn7RUKoy+UdsaiZMe+OBS/JN6GwiMGF6FF7M+YNTjOsPhydFX8KZ+b1VYvXXsd
B4f7snoasHJMk+Jn1RXC3LHJTi4hRkasXQjF2EiMDTHklFtoQ3OVQoZ51NPvsSuB
3x2HAsh/cIKjXbvjAY6INKJQv0NZ4dpkMHusR3j1B/5HVGmaU2jfNNg8P2GupnE=
=xPWf
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

