User:Moggers87/tor
Some notes on running a Tor node at BitFolk.
What's Tor?
"Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy."
– https://www.torproject.org/about/overview.html.en
A Tor exit node basically proxies traffic from the Tor network to the Internet. Some customers wish to run a Tor node on their BitFolk VPSes in order to assist the Tor network in providing this service, but this can cause some issues.
Who is responsible for traffic sent through a Tor node?
You are BitFolk's customer and what you run on your VPS is your responsibility. If abusive activity is traced back to your VPS then BitFolk expects you to deal with it, which includes making a reasonable effort to prevent re-occurrence.
BitFolk is not going to speculate on who is legally responsible for actions taken through a Tor exit node, but you are BitFolk's customer and in event of a legal issue BitFolk will supply your contact details to law enforcement on receipt of a valid court order.
Is running a Tor node at BitFolk allowed?
Yes, but:
- If BitFolk receives abuse reports or complaints as a result of something running on your VPS then BitFolk will expect you to answer them.
- If persistent abuse is observed through your VPS then usual BitFolk policy is to not keep you as a customer - this is the case whether you run a Tor node or not.
- Due to common abuse issues encountered previously, you are required to implement some things in your exit policy.
Common problems
Almost any form of abusive activity that someone may wish to engage in on the Internet can be done through the Tor network so as to make it practically impossible to track the perpetrator. Common issues include:
- Email and web comment spam.
- SSH brute force dictionary attacks.
- BitTorrent and other p2p filesharing of copyrighted material.
Configuring your Tor node
There are three types of publicly accessible Tor nodes; relay nodes, bridge nodes and exit nodes. You'll probably want to run the first type.
Relay node
A relay node only talks to other Tor nodes. It's the easiest to set up, and carries the least risk. Set your exit policy:
ExitPolicy reject *:*Also disable SOCKS if you don't want local applications and users using your node as an entry point:
SocksPort 0Exit node
Required exit policies
Allowing the following traffic causes too many problems for BitFolk and so if you wish to run a Tor exit node you are required to enforce the following exit policies:
- Disable port 22 to the Internet due to SSH brute force dictionary attacks.
- Disable port 25 to the Internet due to email spam.
Recommended exit policies
In addition to the above required exit policies, it is strongly recommended that you block the common BitTorrent ports. Rights holders are routinely joining torrents to obtain a list of IP addresses serving them, and then reporting this to the service providers responsible for the IP addresses. When BitFolk receives these abuse reports they are passed on to the customer. You may not wish to take the risk of legal action.
Bridge relay node
Another way to help is to run a bridge relay. Bridges only talk to other Tor nodes and do not appear in the main Tor directory. This means that a government or ISP can't block every bridge relay because there isn't a canonical list of them and so is helpful to people who live in places where the Tor directory is blocked.
Bandwidth
Leaving a Tor node to its own devices is a sure way of using all your transfer allowance. You can configure Tor to limit the bandwidth it uses and limit the amount of data transferred in a day/week/month.
Client only
A Tor node can be set up as such that it only accepts connections over SOCKS from local users and programs. This is exactly like running a Tor node on your desktop; Tor will connect to other nodes but will only handle your data.
Further information
- The Tor FAQ
- Why You Shouldn't Run BitTorrent Over Tor - includes a sample exit policy for blocking common BitTorrent ports.
- Tipe for Running an Exit Node with Minimal Harassment
- /etc/tor/torrc.sample