Running a TOR exit node is a large responsibility and requires the for knowledge this project will require maintenance as time goes on. It is a must that the operating systems be maintained and kept up to date and a strict amount of security. You are taking a huge responsibility on yourself and have the security and safe surfing of all tor users on your shoulders.
No Joke, Here is some required reading.
Tips for running an exit node
Running a TOR exit node for fun and emails
Did you read it?
No?, Go Read it!!!!
- Subdomain of a FQDN
- Abuse email
- Dedicated server
- Desire for a free and open internet
An abuse email is for other people to contact you in the event they see discontenting traffic from your server. I don't like the idea that there are people out there using the anonymity of the server do something malicious, but its a fact that needs to be thought out and deterred as much as possible.
Personally I don't think it is fair to use a shared server to perform something so bandwidth intensive as TOR can be. Each person on the hypervisor is allocated the same amount of resources, so if one user consumes all the bandwith, other paying customers will be, rightfully, upset. For this reason, I prefer dedicated hardware.
Finally, a desire for a free and open internet is what is being allowed by running a TOR server. I run it because I see Internet Services Providers providing subpar or unfair buisness practices. Whether it be blocking access to certain sites, such as social media, or logging all internet access and providing it at will to any goverment agency that asks. I find these acts unlawful and will work toward a safe and neutral internet that is available for anyone to use, regardless of location or intention.
First, I recommend setting up a firewall and an Intrusion Protection System. In my opinion, the best "set and forget" way to do this would be with is csf. Installation is quite forward but requires a bit of configuration to get the settings correct. The goal in mind is to only open port that are absolutely needed and restrict everything else from entering. Since this server performing no packet forwarding, I leave the outbound wide open. Here is my section from /etc/csf/csf.conf which allows tor ports and ssh inbound. Why these specific ports are open will be explained later.
# This option should be set to "1" in all other circumstances LF_SPI = "1" # Allow incoming TCP ports TCP_IN = "22,80,443,9030,9050" # Allow outgoing TCP ports TCP_OUT = "1:65535" # Allow incoming UDP ports UDP_IN = "53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "1:65535" # Allow incoming PING ICMP_IN = "1" # Set the per IP address incoming ICMP packet rate # To disable rate limiting set to "0" ICMP_IN_RATE = "1/s" # Allow outgoing PING ICMP_OUT = "1" # Set the per IP address outgoing ICMP packet rate (hits per second allowed), # e.g. "1/s" # To disable rate limiting set to "0" ICMP_OUT_RATE = "0"
Installation of TOR:
yum update -y yum install epel-release -y yum install tor -y
Do not use the packages in Ubuntu's universe. In the past they have not reliably been updated. That means you could be missing stability and security fixes.
Raspbian is not Debian. These packages will be confusingly broken for Raspbian users, since Raspbian called their architecture armhf but Debian already has an armhf. See this post for details.
Follow the official documentation for installation steps.
For a secure server, SELinux is a must. To configure TOR to use be able to use port 80 (Directory Services) and Port 443 for Exit traffic.
First, is SELinux enabled?
sestatus | grep status SELinux status: enabled
we first must allow TOR to use those ports.
semanage port -l | grep tor tor_port_t tcp 6969, 9001, 9030, 9050, 9051, 9150
Now let's add port 80 and 443 to grant TOR access to those ports.
semanage port -m -t tor_port_t -p tcp 80 semanage port -m -t tor_port_t -p tcp 443
The above command may take up to a minute to complete, and then return no output. It is normal.
The tor config file is located at /etc/tor/torrc
Here is my config file with none of the default comments, but instead my comments on each.
#Default configurations for arm and tor ControlSocket /run/tor/control ControlSocketsGroupWritable 1 CookieAuthentication 1 CookieAuthFile /run/tor/control.authcookie CookieAuthFileGroupReadable 1 # I don't allow sock connections internally or externally. SOCKSPolicy reject * # Log Files are important, I just log notices. Look at the help for further debug levels Log notice file /var/log/tor/notices.log #This is the port ARM will connect to for an admin view of your tor service ControlPort 9051 #The port TOR uses to advertise for incoming connections ORPort 443 # The IP address or full DNS name for incoming connections to your relay or exit node Address torfr.arlionprojects.com # A handle for your relay, so people don't have to refer to it by key. Nickname arlionprojects #Administrative contact for those with complaints may be able to contact you at. This will go a long way to keeping your tor exit node alive and running. ContactInfo firstname.lastname@example.org #Web page that greats a user on port 80 informing they have stumbled on a tor exit node. ## You can get this page by ### wget https://svn.torproject.org/svn/tor/branches/hidserv-perf/contrib/tor-exit-notice.html -O /etc/tor/tor-exit-notice.html DirPortFrontPage /etc/tor/tor-exit-notice.html ExitPolicy reject 0.0.0.0/8 ExitPolicy reject 169.254.0.0/16 ExitPolicy reject 127.0.0.0/8 ExitPolicy reject 192.168.0.0/16 ExitPolicy reject 10.0.0.0/8 ExitPolicy reject 172.16.0.0/12 ExitPolicy accept *:20-21 # FTP - File Transfer Protocol (data / control) ExitPolicy accept *:43 # WHOIS - who is query and response protocol ExitPolicy accept *:53 # DNS - Domain Name System ExitPolicy accept *:79 # finger - Name/Finger user information protocol ExitPolicy accept *:80-81 # HTTP - Hypertext Transfer Protocol / web browsing ExitPolicy accept *:88 # kerberos - computer network authentication protocol ExitPolicy accept *:110 # POP3 - Post Office Protocol v3 (receive email only) ExitPolicy accept *:143 # IMAP - Internet Message Access Protocol, management of email messages (receive email only) ExitPolicy accept *:220 # IMAP3 - Internet Message Access Protocol v3 (receive email only) ExitPolicy accept *:389 # LDAP - Lightweight Directory Access Protocol ExitPolicy accept *:443 # HTTPS - Hypertext Transfer Protocol over TLS/SSL / secure web browsing ExitPolicy accept *:464 # kpasswd - Kerberos Change/Set password ExitPolicy accept *:531 # IRC/AIM - AOL Instant Messenger ExitPolicy accept *:543-544 # Kerberos - klogin, Kerberos login / kshell, Kerberos Remote shell ExitPolicy accept *:554 # RTSP - Real Time Streaming Protocol ExitPolicy accept *:636 # LDAP - Lightweight Directory Access Protocol over TLS/SSL ExitPolicy accept *:706 # SILC - Secure Internet Live Conferencing ExitPolicy accept *:749 # kerberos - protocol administration ExitPolicy accept *:873 # rsync - file synchronization protocol ExitPolicy accept *:902-904 # VMware - Virtual Infrastructure Client / Console / Server ExitPolicy accept *:981 # Remote HTTPS management for firewall ExitPolicy accept *:989-990 # FTP over TLS/SSL - File Transfer Protocol (data / control) ExitPolicy accept *:991 # Netnews Administration System ExitPolicy accept *:992 # Telnet protocol over TLS/SSL ExitPolicy accept *:993 # IMAP over SSL - Internet Message Access Protocol over TLS/SSL (receive email only) ExitPolicy accept *:995 # POP3 over SSL - Post Office Protocol v3 (receive email only) ExitPolicy accept *:1194 # OpenVPN - Virtual Private Network ExitPolicy accept *:1220 # QT Server Admin - QuickTime Streaming Server administration ExitPolicy accept *:1293 # PKT-KRB-IPSec - Internet Protocol Security ExitPolicy accept *:1500 # VLSI License Manager - Firewall (NT4-based) Remote Management / Server ExitPolicy accept *:1533 # Sametime - IM—Virtual Places Chat MS SQL Server ExitPolicy accept *:1677 # GroupWise - clients in client/server access mode ExitPolicy accept *:1723 # PPTP - Point-to-Point Tunneling Protocol ExitPolicy accept *:1755 # RTSP - Media Services (MMS, ms-streaming) ExitPolicy accept *:1863 # MSNP - MS Notification Protocol, MS Messenger service / Instant Messaging clients ExitPolicy accept *:2083 # Secure Radius Service (radsec) and CPanel default SSL ExitPolicy accept *:2086-2087 # GNUnet, ELI - Web Host Manager default and Web Host Manager default SSL ExitPolicy accept *:2095-2096 # NBX - CPanel default web mail and CPanel default SSL web mail ExitPolicy accept *:2102-2104 # Zephyr - Project Athena Notification Service server / connection / host manager ExitPolicy accept *:3690 # SVN - Subversion version control system ExitPolicy accept *:4321 # RWHOIS - Referral Who is Protocol ExitPolicy accept *:4643 # Virtuozzo ExitPolicy accept *:5050 # MMCC - Yahoo! Messenger ExitPolicy accept *:5190 # ICQ and AOL Instant Messenger ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL - Extensible Messaging and Presence Protocol client connection ExitPolicy accept *:5228 # Android Market - Google Play, Android Cloud, Google Cloud Messaging / HP Virtual Room Service ExitPolicy accept *:8008 # HTTP alternate / Server administration default ExitPolicy accept *:8074 # Gadu-Gadu - instant messaging client ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP - Control Panel ExitPolicy accept *:8232-8233 # Zcash ExitPolicy accept *:8332-8333 # Bitcoin ExitPolicy accept *:8443 # PCsync HTTPS - Plesk Control Panel, Apache Tomcat SSL ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE - HyperVM, Freenet, MAMP Server ExitPolicy accept *:9418 # git - Git pack transfer service ExitPolicy accept *:10000 # Network Data Management Protocol - Webmin, Web-based Unix/Linux system administration tool ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol) ExitPolicy accept *:19294 # Google Voice TCP - Voice and Video connections ExitPolicy accept *:19638 # Ensim control panel ExitPolicy accept *:50002 # Electrum Bitcoin SSL ExitPolicy accept *:64738 # Mumble - voice over IP ExitPolicy reject *:* ExitRelay 1
Now let's grab a tor notice, informing any unsuspecting users that this server is a tor exit node.
wget https://svn.torproject.org/svn/tor/branches/hidserv-perf/contrib/tor-exit-notice.html -O /etc/tor/tor-exit-notice.html
READ READ READ!
Why I choose such a restrictive exit policy.
ARMARM is a graphical utility that provides a top level view of the current activity and utilization of the server. ARM connects to the Control Port set in /etc/tor/torrc, in our case it is 9051.
CentOS #Import Author's GPG key gpg --keyserver pgp.mit.edu --recv-keys 0x9ABBEEC6 #Confirm the signature to the downloaded RPM gpg --verify arm-18.104.22.168-1.rpm.asc arm-22.214.171.124-1.rpm #Install the Package yum install arm-126.96.36.199-1.rpm -y Ubuntu: apt-get install tor-arm -y
To use arm, simple type arm into bash. No further configuration is required.
First DaysEveryones experiences differs, howevor my server picked up activity right away. Obatianing the "Running", "V2DIR" and "Valid" flags immediatly, and two days later gaining "Fast" and "Exit" flags. More on TOR flags and what they mean.
Data Usage Stats:
day rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- 25/11/16 13.99 GiB | 13.82 GiB | 27.81 GiB | 2.70 Mbit/s 26/11/16 2.08 GiB | 1.99 GiB | 4.06 GiB | 394.67 kbit/s 27/11/16 3.72 GiB | 3.59 GiB | 7.31 GiB | 709.87 kbit/s 28/11/16 24.87 GiB | 24.75 GiB | 49.62 GiB | 7.09 Mbit/s
So traffic is slowly picking up on the server. Currently I have only encountered one problem, and that is my IRC bot was banned immediately from IRC due to being IP banned for running a Exit Node. No other issues to report at this time.
eth0 / daily day rx | tx | total | avg. rate ------------------------+-------------+-------------+--------------- 11/25/2016 0 KiB | 0 KiB | 0 KiB | 0.00 kbit/s 11/28/2016 7.36 GiB | 7.35 GiB | 14.72 GiB | 1.43 Mbit/s 11/29/2016 97.87 GiB | 97.03 GiB | 194.90 GiB | 18.92 Mbit/s 11/30/2016 136.14 GiB | 134.35 GiB | 270.50 GiB | 26.26 Mbit/s 12/01/2016 144.20 GiB | 141.73 GiB | 285.93 GiB | 27.76 Mbit/s 12/02/2016 211.83 GiB | 208.05 GiB | 419.89 GiB | 40.77 Mbit/s 12/03/2016 265.49 GiB | 260.72 GiB | 526.21 GiB | 51.09 Mbit/s 12/04/2016 367.22 GiB | 360.82 GiB | 728.04 GiB | 70.69 Mbit/s 12/05/2016 470.92 GiB | 462.24 GiB | 933.16 GiB | 90.60 Mbit/s 12/06/2016 491.49 GiB | 479.99 GiB | 971.48 GiB | 94.32 Mbit/s 12/07/2016 234.37 GiB | 228.67 GiB | 463.05 GiB | 75.62 Mbit/s ------------------------+-------------+-------------+--------------- estimated 394.27 GiB | 384.68 GiB | 778.95 GiB |
Due to bandwith cap being hit at almost 100% utilization, I have put a bandwidth cap into the torrc config file.
RelayBandwidthRate 75 MB RelayBandwidthBurst 80 MB