Notes on operating a Tor relay

Chroot Tor

I found the instructions of building a chrooted Tor server (0.2.2.*) on Debian 6.0.6 (Squeeze) to work fine

https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorInChroot

Libevent2
Debian stable only has libevent 1 in the repositories, I downloaded and installed 2 from source on my system (./configure && make && make install). I then added the following line to make sure this library could be found:

$ echo "/usr/local/include" >> /etc/ld.so.conf.d/libc.conf

Tor
My compile options are a little different from those in the tutorial:

 $ ./configure --prefix=/tor --with-tor-user=debian-tor --with-tor-group=debian-tor \
--enable-gcc-hardening --enable-linker-hardening \
 --enable-static-openssl --with-openssl-dir=/usr/local/ssl \
--enable-static-libevent --with-libevent-dir=/usr/local/include

I'm not sure why using gcc and linker hardening is not shown in the tutorial. I see there is a ticket that has been completed for enabling gcc hardening by default when building 0.2.3.*. This is  currently an issue yet to be resolved for the tor browser bundle.

You can use the tool checksec.sh on the compiled Tor binary to show the extra hardening gained (shown in my last blog post).

Pax flags

Kernel hardening from Grsecurity wouldn't let Tor run. From my syslog:

grsec: From 200.XX.XX.XX: denied RWX mmap of by /home/chroot_tor/tor/tor/bin/tor[tor:21382] uid/euid:9050/9050 gid/egid:9050/9050, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Compile paxctl (if using a grsec kern) and read the man page, I'm using these flags:

$ paxctl -v /home/chroot_tor/tor/tor/bin/tor
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team

- PaX flags: P-S--m-xE-R- [/home/chroot_tor/tor/tor/bin/tor]
        PAGEEXEC is enabled
        SEGMEXEC is enabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is enabled
        RANDMMAP is enabled

Enabling MPROTECT only allows one process to start, set "NumCPUs 1" in torrc when using this option. I found that it hammered my performance (very ram hungry) so I've had to disable this option for now, which is a shame.

Traffic

       month        rx      |     tx      |    total    |   avg. rate
    ------------------------+-------------+-------------+---------------
      Oct '11     87.86 GiB |  107.65 GiB |  195.51 GiB |  612.34 kbit/s
      Nov '11     79.31 GiB |  101.79 GiB |  181.10 GiB |  586.12 kbit/s
      Dec '11     90.09 GiB |  110.20 GiB |  200.29 GiB |  627.29 kbit/s
      Jan '12    154.88 GiB |  187.97 GiB |  342.85 GiB |    1.07 Mbit/s
      Feb '12    141.88 GiB |  179.45 GiB |  321.33 GiB |    1.08 Mbit/s
      Mar '12    191.18 GiB |  223.62 GiB |  414.80 GiB |    1.30 Mbit/s
      Apr '12    216.49 GiB |  249.49 GiB |  465.98 GiB |    1.51 Mbit/s
      May '12    160.70 GiB |  198.33 GiB |  359.04 GiB |    1.12 Mbit/s
      Jun '12    141.58 GiB |  172.10 GiB |  313.68 GiB |    1.02 Mbit/s
      Jul '12    156.97 GiB |  190.04 GiB |  347.01 GiB |    1.09 Mbit/s
      Aug '12    171.87 GiB |  199.50 GiB |  371.37 GiB |    1.16 Mbit/s
      Sep '12    124.30 GiB |  146.02 GiB |  270.33 GiB |  903.34 kbit/s
    ------------------------+-------------+-------------+---------------
    estimated    128.35 GiB |  150.77 GiB |  279.12 GiB |

Not entirely Tor relay traffic but the vast majority is =). This graph was generated with vnstat, which unfortunately can't do yearly statistics yet. 

Monitoring

Sign for Tor Weather at https://weather.torproject.org/ To receive email when:

• Your version of Tor is out of date
• Your router has low bandwidth capacity
• Are able to claim a Tor t-shirt (conditions)