System administration tools and tips for running a Tor node – part 1

This post inaugurates a series about a collection of system-administration tools and good practices that will make your life as a Tor operator better and easier. This series actually started as a single post, but it grew so large that I finally decided to restructure it completely and present it in 3 separate posts, with the following plan:

  • in the first post (this one), I will follow the basic steps that you need to cover when creating a new Tor node. This is a basic setup that will get you up and running while preventing several problems and giving you basic tools to monitor your node. This post can be applied to the setup of either middle or exit nodes;
  • in part 2, I will cover in more detail some software and tools specific for exit nodes;
  • in part 3, I will present more advanced tools that you can deploy at a later time;

Finally, while the use case is setting up and running a Tor relay some of these tools and practices are actually applicable to any server you manage – i.e. any server where you have administartive powers – and they can prevent or solve a variety of problems.

Before installing Tor

The typical scenario I will refer to is the one of Virtual Private Servers that you can buy through many services. If you want to run an exit node, this is the recommended choice, even the Tor Legal FAQs advice not to run an exit relay from home 1, instead you can consult the Good/Bad ISPs page on the Tor wiki. There you can find several services in several countries and some opinions from other Tor operators.

I will also suppose that you are running a Linux-based system. I would recommend to use Debian where you can install the latest version of Tor very easily.

So, let’s suppose that you have just created your VPS through your favorite service and it is running Debian. Let’s start with taking care of some system configuration.

1. Secure you SSH configuration

You should always use SSH keys to log in you remote servers. There are documented cases of botnets that can be active for years, with thousands of machines and different IPs that will tray to break in your server just by brute-force randomly trying many combinations of users and passwords.

See the instruction in the post about port-knocking for a detailed how-to on how to change the SSH configuration to disable password authentication and change the port on which SSH listens for connections.

For creating your own keypair and copying it on you server you can reference this guide on Digital Ocean.

2. Enable automatic security updates

You should really enable automatic updates now on all the servers you have root on.

You can install and enable the unattended-upgrades package to automatically download and install security updates.


3. Add swap

On some of the services that I have tried, when you launch a new server there is no swap partition preset. Swap space is “a preconfigured space on the hard disk used to free up (swapping) a page of memory”, that is a chunk of data used by an application. The combined sizes of the physical memory and the swap space is the amount of virtual memory available (source). If your system runs out of memory some application will crash and, in the case of system applications, this can have many unintended consequences and give rise to weird bugs.

Even the smallest virtual servers come with hard disks of several GBs (10-20 GB at least) and your Tor relay will not need them for storage, so it is wise to create a swapfile that will be used effectively as swap space by your system. You can follow this guide on Digital Ocean, it is applicable both to Ubuntu and Debian-based system and I suppose will work on other distributions too.

On one of my relays, with 512MB of RAM and 20GB of hard disk I have created a 4GB swapfile and I have still plenty of free space left on disk.

4. Raise apt-cache limit

One bug that I have experienced while running a Tor relay was a weird apt bug that cause my system to crash completely, putting the node offline for a while. This problem basically stems from the fact that the Debian package manager apt was not able to allocate enough memory for its cache.

You can create a configuration file named 99cache-start for apt in the directory /etc/apt/apt.conf.d/:

and add the following two lines:

Then you can clean the apt cache:

This configuration increases the memory available to apt for its cache2.

5. Install ntp

NTP stands for Network Time Protocol, installing the ntp package will keep you system date with exact match to actual date (source):

6. Install some system-monitoring tools: vnstat, sysstat, nmon and arm

There are several tools that are useful for monitoring the general status of your server. Please note that this monitoring tools allow the collection of general statistic to check the health status of the server, these tool do not log or monitor individual connections.

You can install all these tools with the following command:

  • vnStat
    Quoting from the official site of the project: «vnStat is a console-based network traffic monitor for Linux and BSD that keeps a log of network traffic for the selected interface(s). It uses the network interface statistics provided by the kernel as information source. This means that vnStat won’t actually be sniffing any traffic and also ensures light use of system resources.»

You can edit the vnStat configuration file /etc/vnstat.conf to specify the network interface and disable the badwith limits on that interface:

After installing vnStat you can use the command vnstat to read traffic statistics of
your network interface, as in the example below:

  • arm
    arm stands for “the Anonymizing Relay Monitor” and it is a CLI status monitor for Tor. It shows a real-time monitor of dowload/upload bandwith used by Tor, and other useful info.

It is advised to run arm with the same user as Tor (and not as root), on Debian systems the user is debian-tor, so I have create the following alias (it is also helpful because if I look for a command about “stats” it shows up):

  • Sysstat (sar)
    Sysstat is a package of performance monitoring tools for Linux, in particular it contains sar, a tool to collect and reports system activity information (sources: 1, 2).

After you install sysstat, you have to change its configuation in /etc/default/sysstat to enable data collection and then restart the systat service.

You can obtain the system statistics using, the sar command.

  • nmon
    nmon stands for “Nigel’s performance Monitor”, with respect to systat it provides nice graphs in the console. You can also use it in capture mode.

After installing, you can start it simply by typing nmon:

You are now ready for installing Tor

Now you have a basic set of tools in your tools box and you can proceed to install Tor, rad carefully the torrc configuration file – which on Debian system is under /etc/tor/torrc – and modify it following the guide provided by the extensive comments. You can choose at this moment if you want to set up an exit or a middle node, even if I would advice to wait for the tools in part 2 if you are intrested in setting up and exit node.

Pay attention to the bandwith limits, because providers sell with each “VPS package” only limited bandwith with total data transfer caps over a period of time (typically monthly), and if you go over the cap usually you pay for each additional MB of data consumed (i.e. transfered) an extra amount, so fees can ramp up very steeply.

Finally, do not forget to subscribe to the tor-announce mailing list, I recommend also that you subscribe to the tor-relays list which has much ore traffic, but it has also more information about good setups and god practices for running Tor nodes.

Share on Facebook0Tweet about this on TwitterShare on Reddit0Buffer this pageFlattr the author

  1. Relevant quote:

    Should I run an exit relay from my home?

    No. If law enforcement becomes interested in traffic from your exit relay, it’s possible that officers will seize your computer. For that reason, it’s best not to run your exit relay in your home or using your home Internet connection.

    Instead, consider running your exit relay in a commercial facility that is supportive of Tor. Have a separate IP address for your exit relay, and don’t route your own traffic through it.

    (source: TOR Legal FAQs)

  2. (source: Forum).