Running a Tor node
Some notes on running a Tor node at BitFolk.
"Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy."
A Tor exit node basically proxies traffic from the Tor network to the Internet. Some customers wish to run a Tor node on their BitFolk VPSes in order to assist the Tor network in providing this service, but this can cause some issues.
Who is responsible for traffic sent through a Tor node?
You are BitFolk's customer and what you run on your VPS is your responsibility. If abusive activity is traced back to your VPS then BitFolk expects you to deal with it, which includes making a reasonable effort to prevent re-occurrence.
BitFolk is not going to speculate on who is legally responsible for actions taken through a Tor exit node, but you are BitFolk's customer and in event of a legal issue it is your contact details that BitFolk will have to supply to law enforcement on receipt of a valid court order. BitFolk does not have a choice in that, since that is the law. Note that BitFolk does not supply customer details without a court order or warrant.
Exit nodes and relay nodes
Exit nodes are nodes within the Tor network which are allowed to send traffic out to the rest of the Internet. Relay nodes are only allowed to talk to other Tor nodes.
There are no special requirements for running Tor relay nodes as this traffic is never exposed to the rest of the Internet.
If you'd like to help the Tor network but don't want to risk possibly being the last traceable hop in some form of illegal activity, you may prefer to run a relay node. Relays only talk to other Tor nodes, so only deal with encrypted traffic and are certainly less effort to maintain than an exit node.
Remember to replace the default exit policy in your Tor configuration with this:
Is running a Tor exit node at BitFolk allowed?
- We will provide you with an additional IPv4 address which will be dedicated to your Tor node.
All Tor traffic (and only Tor traffic) should use this dedicated address as a source address. This is so that when we inevitably receive abuse reports we can be reasonably confident that it's coming through Tor and not directly from your VPS.
- You must ensure that your dedicated Tor IP address appears in the Tor exit lists.
Some people unfortunately do not wish to receive traffic from Tor and rely on the list of exit nodes to construct filters, so if you are operating an exit node it must appear on this list.
- If BitFolk receives abuse reports or complaints as a result of something running on your VPS then BitFolk will expect you to answer them. In particular this means:
- You need to be prepared to answer email correspondence through our ticket tracker within a reasonable period of time (72 hours).
- Although we prefer to have correspondence with complainants go through our ticket tracker, if a complainant insists then you should provide them with a direct email address for yourself.
All we're asking here is that you engage in email correspondence if the complainant insists. It is still the case that we will not give up customer details without a valid court order or warrant.
- If persistent abuse is observed through your VPS then usual BitFolk policy is to not keep you as a customer - this is the case whether you run a Tor node or not.
- Due to common abuse issues encountered previously, you are required to implement some things in your exit policy.
- There are already several Tor nodes at BitFolk and the UK in particular is very well served with nodes, so do consider if running an additional node at BitFolk is the best use of resources.
Almost any form of abusive activity that someone may wish to engage in on the Internet can be done through the Tor network so as to make it practically impossible to track the perpetrator. Common issues include:
- Email and web comment spam.
- SSH brute force dictionary attacks.
- BitTorrent and other p2p filesharing of copyrighted material.
Required exit policies
Allowing the following traffic causes too many problems for BitFolk and so if you wish to run a Tor exit node you are required to enforce the following exit policies:
- Disable port 22 to the Internet due to SSH brute force dictionary attacks.
- Disable port 25 to the Internet due to email spam.
Recommended exit policies
In addition to the above required exit policies, it is strongly recommended that you block the common BitTorrent ports. Rights holders are routinely joining torrents to obtain a list of IP addresses serving them, and then reporting this to the service providers responsible for the IP addresses. When BitFolk receives these abuse reports they are passed on to the customer. You may not wish to take the risk of legal action.
A Bridge relay are a special type of relay that is not listed in the main Tor directory. As there is no complete list of bridge relays, they can't be easily blocked by ISPs.
- Why You Shouldn't Run BitTorrent Over Tor - includes a sample exit policy for blocking common BitTorrent ports.
- Tipe for Running an Exit Node with Minimal Harassment