Tor crashes after 20 days

Hello there,

got a Tor server running on a root server, but it crashes always after 20 days. Once I head a server 2-3 years ago, which ran pretty good and after ca. 4 weeks it became a quard. But this on is not. and no output its just no. I have it no daemon mode as it runns in a screen.
Its version on linux debian 5.10.0-21.

Is there alread ysome kind of controll programm or should I controll it via systemctl?


1 Like

What are the specs of the system your running it on? Also do you have Fail2Ban installed? If not you might benefit from installing it as Tor relays are subject to a barrage of brute force attacks.

1 Like

sorry for the delayed answer.
I had a virtual Server @hetzner in german -server located in finnland.
It was a xeon 1core. Now I have an AMD -2 cores and still a lot of this message, - so my screen is full of them → “Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [809 similar message(s) suppressed in last 900 seconds]”

I dont know what to do, 2-3 years ago I also had just a one core and the server became a guard after 3-4 weeks. but this one still crashes always.
I am controlling it wie systemctl to restart the service imediately.
Do you have any advise?
btw. you mentioned fail2ban. How to config to prevent attacks?


1 Like

The script below will help you install and setup ufw firewall and Fail2Ban. As far as your machine goes, it sounds like it gets overloaded, but that shouldn’t make it crash. It is possible, but more likely your server is struggling with too many connection requests and ufw and Fail2Ban should help to resolve this. Let me know how it works.

#if not root, run as root
if (( $EUID != 0 )); then
echo “Try Running As Root!”

###Function to get input with a default value
echo “Updating system and installing necessary packages…”

##Update the system and install necessary packages
apt update && apt upgrade -y
apt install -y ufw fail2ban rsyslog

##Prompt for necessary variables with default values
get_input_with_default() {
local prompt=$1
local default=$2
read -p "$prompt [$default]: " input
echo “${input:-$default}”

SSHPORT=$(get_input_with_default “Enter SSH Port” “22”)
ControlPort=$(get_input_with_default “Enter Control Port” “9051”)
ORPort=$(get_input_with_default “Enter OR Port” “9001”)
DirPort=$(get_input_with_default “Enter Directory Port” “9030”)
SocksPort=$(get_input_with_default “Enter Tor SOCKS Port” “0”)

echo “Setting up and enabling firewall…”

##Set up and enable UFW
ufw default deny incoming
ufw default allow outgoing
ufw allow $SSHPORT/tcp
ufw allow $ORPort/tcp
ufw allow $DirPort/tcp
if [ “$SocksPort” != 0 ];
ufw allow $SocksPort/tcp
ufw enable

echo “We now need to set up the SSHD and its fail2ban jail…”

##Function to configure root login and SSH port for SSHD
configure_sshd_settings() {
local sshd_config=“/etc/ssh/sshd_config”
local temp_file=$(mktemp)

##Prompt for allowing root login
echo "Do you want to allow root to SSH? [yes/no]"
read allow_root_ssh
case "$allow_root_ssh" in
    yes|YES|y|Y) permit_root_login="yes";;
    no|NO|n|N) permit_root_login="no";;
    *) echo "Invalid input. Defaulting to 'no'."; permit_root_login="no";;

##Update sshd_config
awk -v permit_root_login="$permit_root_login" -v ssh_port="$SSHPORT" '
/^#?Port/ { print "Port " ssh_port; next }
/^#?PermitRootLogin/ { print "PermitRootLogin " permit_root_login; next }
{ print }
' "$sshd_config" > "$temp_file" && mv "$temp_file" "$sshd_config"

##Restart the SSH service to apply changes
systemctl restart sshd


##Run the function to configure SSHD settings

##Function to configure sshd in jail.conf with defaults
configure_sshd_in_jail_conf() {
local jail_conf_path=“/etc/fail2ban/jail.conf”
local temp_file=$(mktemp)

##Get user inputs with defaults
local ignoreip=$(get_input_with_default "Enter ignoreip" "")    
local maxretry=$(get_input_with_default "Enter maxretry" "5")
local findtime=$(get_input_with_default "Enter findtime (e.g., 1w)" "1w")
local bantime=$(get_input_with_default "Enter bantime (e.g., 52w)" "52w")

awk -v ignoreip="$ignoreip" -v maxretry="$maxretry" -v findtime="$findtime" -v bantime="$bantime" '
/^\[sshd\]$/ {
    print "enabled = true";
    print "maxretry = " maxretry;
    print "findtime = " findtime;
    print "bantime = " bantime;
    print "ignoreip = " ignoreip;
{ print }
' "$jail_conf_path" > "$temp_file" && mv "$temp_file" "$jail_conf_path"

##Configure sshd in jail.conf with defaults

##Function to configure fail2ban settings
configure_fail2ban_settings() {
local fail2ban_config=“/etc/fail2ban/fail2ban.conf”
local temp_file=$(mktemp)

##Prompt for allowing ipv6
echo "Do you want fail2ban to allow IPv6? [yes/no/auto]"
read -r allowipv6
case "$allowipv6" in
    yes|YES|y|Y) allowipv6="yes";;
    no|NO|n|N) allowipv6="no";;
    auto|AUTO|a|A) allowipv6="auto";;
    *) echo "Invalid input. Defaulting to 'auto'."; allowipv6="auto";;

##Prompt for dbpurgeage
local dbpurgeage
dbpurgeage=$(get_input_with_default "Enter dbpurgeage" "1000d")

##Update fail2ban config
awk -v allowipv6="$allowipv6" -v dbpurgeage="$dbpurgeage" '
/^#?allowipv6/ { print "allowipv6 = " allowipv6; next }
/^#?dbpurgeage/ { print "dbpurgeage = " dbpurgeage; next }
{ print }
' "$fail2ban_config" > "$temp_file" && mv "$temp_file" "$fail2ban_config"


##Call the function

##Copy fail2ban config files to *.local files
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

echo “Starting system services…”

##Start rsyslog service
systemctl enable rsyslog
systemctl start rsyslog

##Start Fail2Ban service
systemctl enable fail2ban
systemctl start fail2ban
systemctl restart tor

1 Like


thanks for the script , however I didnt run it, as I already have manually configured Iptables. Just changed by hand what both scripts would have done.
Still got those error messages.:

“Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit
│ policy. [1061 similar message(s) suppressed in last 1020 seconds]”

last week I changed the RelayBandwidthRate to 10 (it was 15).
so I head less error message.
Then I changed it to 5 and added ‘MaxAdvertisedBandwidth 5MB’
again less errors.
Today I changed everything to 3 MB. Well that error message is from above is from 22 min after reloading TOR.

dunno what to do.
The funny thing is I haed an v-Server @hetzner 2-3 years ago with just 1 core. and 15MB RelayBandwidthRate without any problems.

What am I doing wrong?


1 Like

It’s nothing you’re doing wrong. Many of my servers get the same message, mostly those with 2 vcores or less. I also find amount of RAM affects this as well. So the only solution is to get more vcores and more RAM. I typically ignore the messages as it doesn’t affect my server except it puts a ceiling on the max bandwidth. You have to understand WHY this is happening is because Tor is having to encrypt and decrypt data, that takes resources. As long as your server stops crashing you should be good.

1 Like

well, ok thanks. CPU is running @10-45% LoadAvarage is 1.3 so this is nothing.
I head a 2. server in the US - hosted by Hetzner, 1Core. Never ever saw such a message with a configured BW with 15, peek 20MB.
This one with the errors is in Finnland.
Can you build something with this info?

1 Like

Not all servers are equal. They all run different hardware and some are more powerful than others. My strongest performing servers are Webtropia based out of Germany. They all have 4 vcores and 8gb of RAM and I’m able to run 3 relays on them each. They only cost €5, so it’s a great deal. Them and BlueVPS have been best for me.

If you run the command: lscpu | grep ‘Model’ , and go to PassMark - CPU Benchmarks - List of Benchmarked CPUs you can see how your CPU stacks up.

1 Like

thanks man, webtropia looks really amazing. much much more exciting than my hoster. 40TB traffic, 4 cores etc…
but, you know I have some stuff over here incl. domains and so on…
its not worth it.
In the mean time I had no error messages for about 2 hours. I will stick with my 3MB max and 5MB peek.

Thanks anyway.

1 Like

They don’t enforce the 40TB limit, they will just limit your bandwidth to 25 MB/sec, which is plenty for running multiple relays. And of note none of my servers currently have this restriction and I’m well over the 40 TB/mo. limit. Anyway, best of luck with your current provider, hopefully the ufw and fail2ban help out.

1 Like

Well, after reduced it to 3MB, I got a lot of:
│ 03:47:27 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:47:14 2024)
│ 03:47:12 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:47:00 2024)
│ 03:46:03 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:45:53 2024)
│ 03:45:37 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:45:24 2024)
│ 03:45:11 [NYX_NOTICE] Relay unresponsive (last heartbeat: Wed May 8 03:44:59 2024)
I dont know hot to get it stable… I think I have to close this project :frowning:

1 Like