Hello there,
got a Tor server running on a root server, but it crashes always after 20 days. Once I head a server 2-3 years ago, which ran pretty good and after ca. 4 weeks it became a quard. But this on is not. and no output its just no. I have it no daemon mode as it runns in a screen.
Its version 0.4.8.7 on linux debian 5.10.0-21.
Is there alread ysome kind of controll programm or should I controll it via systemctl?
thanks
S
What are the specs of the system your running it on? Also do you have Fail2Ban installed? If not you might benefit from installing it as Tor relays are subject to a barrage of brute force attacks.
sorry for the delayed answer.
I had a virtual Server @hetzner in german -server located in finnland.
It was a xeon 1core. Now I have an AMD -2 cores and still a lot of this message, - so my screen is full of them â âYour computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [809 similar message(s) suppressed in last 900 seconds]â
I dont know what to do, 2-3 years ago I also had just a one core and the server became a guard after 3-4 weeks. but this one still crashes always.
I am controlling it wie systemctl to restart the service imediately.
Do you have any advise?
btw. you mentioned fail2ban. How to config to prevent attacks?
Thanks
S.
The script below will help you install and setup ufw firewall and Fail2Ban. As far as your machine goes, it sounds like it gets overloaded, but that shouldnât make it crash. It is possible, but more likely your server is struggling with too many connection requests and ufw and Fail2Ban should help to resolve this. Let me know how it works.
#!/bin/bash
#if not root, run as root
if (( $EUID != 0 )); then
echo âTry Running As Root!â
exit
fi
###Function to get input with a default value
echo âUpdating system and installing necessary packagesâŚâ
##Update the system and install necessary packages
apt update && apt upgrade -y
apt install -y ufw fail2ban rsyslog
##Prompt for necessary variables with default values
get_input_with_default() {
local prompt=$1
local default=$2
read -p "$prompt [$default]: " input
echo â${input:-$default}â
}
SSHPORT=$(get_input_with_default âEnter SSH Portâ â22â)
ControlPort=$(get_input_with_default âEnter Control Portâ â9051â)
ORPort=$(get_input_with_default âEnter OR Portâ â9001â)
DirPort=$(get_input_with_default âEnter Directory Portâ â9030â)
SocksPort=$(get_input_with_default âEnter Tor SOCKS Portâ â0â)
echo âSetting up and enabling firewallâŚâ
##Set up and enable UFW
ufw default deny incoming
ufw default allow outgoing
ufw allow $SSHPORT/tcp
ufw allow $ORPort/tcp
ufw allow $DirPort/tcp
if [ â$SocksPortâ != 0 ];
then
ufw allow $SocksPort/tcp
fi
ufw enable
echo âWe now need to set up the SSHD and its fail2ban jailâŚâ
##Function to configure root login and SSH port for SSHD
configure_sshd_settings() {
local sshd_config=â/etc/ssh/sshd_configâ
local temp_file=$(mktemp)
##Prompt for allowing root login
echo "Do you want to allow root to SSH? [yes/no]"
read allow_root_ssh
case "$allow_root_ssh" in
yes|YES|y|Y) permit_root_login="yes";;
no|NO|n|N) permit_root_login="no";;
*) echo "Invalid input. Defaulting to 'no'."; permit_root_login="no";;
esac
##Update sshd_config
awk -v permit_root_login="$permit_root_login" -v ssh_port="$SSHPORT" '
/^#?Port/ { print "Port " ssh_port; next }
/^#?PermitRootLogin/ { print "PermitRootLogin " permit_root_login; next }
{ print }
' "$sshd_config" > "$temp_file" && mv "$temp_file" "$sshd_config"
##Restart the SSH service to apply changes
systemctl restart sshd
}
##Run the function to configure SSHD settings
configure_sshd_settings
##Function to configure sshd in jail.conf with defaults
configure_sshd_in_jail_conf() {
local jail_conf_path=â/etc/fail2ban/jail.confâ
local temp_file=$(mktemp)
##Get user inputs with defaults
local ignoreip=$(get_input_with_default "Enter ignoreip" "127.0.0.1")
local maxretry=$(get_input_with_default "Enter maxretry" "5")
local findtime=$(get_input_with_default "Enter findtime (e.g., 1w)" "1w")
local bantime=$(get_input_with_default "Enter bantime (e.g., 52w)" "52w")
awk -v ignoreip="$ignoreip" -v maxretry="$maxretry" -v findtime="$findtime" -v bantime="$bantime" '
/^\[sshd\]$/ {
print;
print "enabled = true";
print "maxretry = " maxretry;
print "findtime = " findtime;
print "bantime = " bantime;
print "ignoreip = " ignoreip;
next;
}
{ print }
' "$jail_conf_path" > "$temp_file" && mv "$temp_file" "$jail_conf_path"
}
##Configure sshd in jail.conf with defaults
configure_sshd_in_jail_conf
##Function to configure fail2ban settings
configure_fail2ban_settings() {
local fail2ban_config=â/etc/fail2ban/fail2ban.confâ
local temp_file=$(mktemp)
##Prompt for allowing ipv6
echo "Do you want fail2ban to allow IPv6? [yes/no/auto]"
read -r allowipv6
case "$allowipv6" in
yes|YES|y|Y) allowipv6="yes";;
no|NO|n|N) allowipv6="no";;
auto|AUTO|a|A) allowipv6="auto";;
*) echo "Invalid input. Defaulting to 'auto'."; allowipv6="auto";;
esac
##Prompt for dbpurgeage
local dbpurgeage
dbpurgeage=$(get_input_with_default "Enter dbpurgeage" "1000d")
##Update fail2ban config
awk -v allowipv6="$allowipv6" -v dbpurgeage="$dbpurgeage" '
/^#?allowipv6/ { print "allowipv6 = " allowipv6; next }
/^#?dbpurgeage/ { print "dbpurgeage = " dbpurgeage; next }
{ print }
' "$fail2ban_config" > "$temp_file" && mv "$temp_file" "$fail2ban_config"
}
##Call the function
configure_fail2ban_settings
##Copy fail2ban config files to *.local files
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
echo âStarting system servicesâŚâ
##Start rsyslog service
systemctl enable rsyslog
systemctl start rsyslog
##Start Fail2Ban service
systemctl enable fail2ban
systemctl start fail2ban
systemctl restart tor
Hello,
thanks for the script , however I didnt run it, as I already have manually configured Iptables. Just changed by hand what both scripts would have done.
Still got those error messages.:
âYour computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit
â policy. [1061 similar message(s) suppressed in last 1020 seconds]â
last week I changed the RelayBandwidthRate to 10 (it was 15).
so I head less error message.
Then I changed it to 5 and added âMaxAdvertisedBandwidth 5MBâ
again less errors.
Today I changed everything to 3 MB. Well that error message is from above is from 22 min after reloading TOR.
dunno what to do.
The funny thing is I haed an v-Server @hetzner 2-3 years ago with just 1 core. and 15MB RelayBandwidthRate without any problems.
What am I doing wrong?
thanks.
S.
Itâs nothing youâre doing wrong. Many of my servers get the same message, mostly those with 2 vcores or less. I also find amount of RAM affects this as well. So the only solution is to get more vcores and more RAM. I typically ignore the messages as it doesnât affect my server except it puts a ceiling on the max bandwidth. You have to understand WHY this is happening is because Tor is having to encrypt and decrypt data, that takes resources. As long as your server stops crashing you should be good.
well, ok thanks. CPU is running @10-45% LoadAvarage is 1.3 so this is nothing.
I head a 2. server in the US - hosted by Hetzner, 1Core. Never ever saw such a message with a configured BW with 15, peek 20MB.
This one with the errors is in Finnland.
Can you build something with this info?
Not all servers are equal. They all run different hardware and some are more powerful than others. My strongest performing servers are Webtropia based out of Germany. They all have 4 vcores and 8gb of RAM and Iâm able to run 3 relays on them each. They only cost âŹ5, so itâs a great deal. Them and BlueVPS have been best for me.
If you run the command: lscpu | grep âModelâ , and go to PassMark - CPU Benchmarks - List of Benchmarked CPUs you can see how your CPU stacks up.
thanks man, webtropia looks really amazing. much much more exciting than my hoster. 40TB traffic, 4 cores etcâŚ
but, you know I have some stuff over here incl. domains and so onâŚ
its not worth it.
In the mean time I had no error messages for about 2 hours. I will stick with my 3MB max and 5MB peek.
Thanks anyway.
S.
They donât enforce the 40TB limit, they will just limit your bandwidth to 25 MB/sec, which is plenty for running multiple relays. And of note none of my servers currently have this restriction and Iâm well over the 40 TB/mo. limit. Anyway, best of luck with your current provider, hopefully the ufw and fail2ban help out.
Well, after reduced it to 3MB, I got a lot of:
"
â 03:47:27 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:47:14 2024)
â 03:47:12 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:47:00 2024)
â 03:46:03 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:45:53 2024)
â 03:45:37 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:45:24 2024)
â 03:45:11 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:44:59 2024)
"
I dont know hot to get it stable⌠I think I have to close this project 