Debian Tor Relay
Spin up a basic Debian 8 (Jessie) 64bit cloud instance; the use of inexpensive cloud instances from Digital Ocean are perfect for this type of project. Only basic networking with minimal disk and memory is required, these pre-prepared cloud installations of Debian 8 are ready to go with only a minor bit of work.
Be Careful of Costs - Cloud providers typically charge for time spent running (uptime) plus bandwidth charges. Research costs carefully and ensure the RelayBandwidthRate is configured to meet your budget. Shop around cloud providers to get the best bang for your buck - low uptime and low bandwidth charges are the key factors for a tor node.
The below instructions have been tested on a Digital Ocean standard Debian 8 instance.
1. Install a few basic packages to make life a little nicer; typically the cloud instances are stripped down and need a few things added, both for security and ease of use. Adjust as needed, at a minimum ensure the below are in place:
apt-get update apt-get install sysstat unattended-upgrades iptables-persistent fail2ban chrony vim-nox iftop sudo -y
2. Enable sysstat for ongoing statistics capture of your instance (use sar to view):
sed -i.bak -e 's|^ENABLED=".*"|ENABLED="true"|g' /etc/default/sysstat
3. Enable unattended-upgrades to ensure that all Security updates are applied:
cat << 'EOF' > /etc/apt/apt.conf.d/02periodic APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1"; EOF
4. Enable the basic iptables rules to allow only ports 22, 80 and 443:
cat << 'EOF' > /etc/iptables/rules.v4 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT EOF cat << 'EOF' > /etc/iptables/rules.v6 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT EOF
5. Configure fail2ban to keep an eye on the SSH port for brute force attacks:
cat << 'EOF' > /etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 3 backend = auto destemail = root@localhost [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 EOF
6. Finally, ensure all the services are enabled and apply all outstanding updates; reboot as needed for a new kernel. If you don't reboot here, you'll need to service foo restart each one individually:
systemctl disable remote-fs.target systemctl enable sysstat unattended-upgrades iptables-persistent fail2ban chrony apt-get upgrade -y reboot
Add the upstream repository to the server, install the GPG key and tor itself. The tor-arm package provides an interesting console interface for the daemon. (run arm later on to see it)
echo "deb http://deb.torproject.org/torproject.org jessie main" > \ /etc/apt/sources.list.d/tor.list gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - apt-get update apt-get install deb.torproject.org-keyring -y apt-get install tor tor-arm -y systemctl stop tor
Edit the /etc/tor/torrc configuration to set up the basic parameters; this config file's comments are parsed by the arm utility, so don't be tempted to just replace it with the below - hand edit is recommended to preserve the comments.
1 TB/month is roughly 400 KB/s sustained bandwidth
We will configure bandwidth to 300 KB/s normal and 350 KB/s burst to keep our cloud bandwidth charges in check, and ports 443 and 80 - maximum compatibility for persons in locations with strict ACLs on their network traffic. Choose Nickname wisely, it's how others will refer to your node in public. Be careful with ContactInfo and protect yourself from spammers!
# egrep -v "^(#|$)" /etc/tor/torrc RunAsDaemon 1 ORPort 443 Address <server IP address> Nickname <your relay nickname> RelayBandwidthRate 300 KB RelayBandwidthBurst 350 KB ContactInfo <your contact info> DirPort 80 DirPortFrontPage /etc/tor/index.html ExitPolicy reject *:*
Copy over the HTML man page to display on port 80 (see DirPortFrontPage above), ensure it's set to start on reboot and get it running:
cp /usr/share/doc/tor/tor.html /etc/tor/index.html systemctl enable tor systemctl restart tor
Preserve a copy of your Tor node information; this is needed if you have to rebuild or move the node and want to retain the same history in the community:
cp /var/lib/tor/fingerprint /root/tor.fingerprint cp /var/lib/tor/keys/secret_id_key /root/tor.secret_id_key
Download those two files from the cloud instance and put them in a safe place in your normal backups. The first has one line (nickname and 40-hex char ID), the second is a RSA key.
Wait an hour or two, then use one (or both) of the below links to search for your relay's nickname:
Once it's showing up as expected and you're happy with the results, submit your relay to the EFF Tor Challenge and sign up via Tor Weather to keep an eye on it: