Unable to login to relay server when Tor is running

Sven Olaf Kamphuis sven at cb3rob.net
Fri Jan 15 11:02:29 UTC 2010


this sounds like either running out of filedescriptors or some shitty 
iptables anti-ddos script

each tcp stream = 1 filedescriptor = a few kb of ram (never mind that, 
it's 2010 ;)

to check/change:

systemwide maximum:

a84-22-97-10:~# cat /proc/sys/fs/file-max
204135

file descriptors in use:

a84-22-97-10:~# cat /proc/sys/fs/file-nr
11840   0       204135

per process and its childs (integrate it into /bin/login or 
something):

bash command: ulimit
tcsh command: limit

c-command: getrlimit() setrlimit() etc. (for direct integration into the 
/bin/login code and/or crontab on shell servers etc or into the wrapper 
that starts your tor daemon in your case ;)

a84-22-97-10:~# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
max nice                        (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) unlimited
max rt priority                 (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) unlimited
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

in all cases, when exceeding either the system or per process-tree 
rlimits, there will be something displayed like fork() resource 
unavailable,

(ofcourse you already need access at that point so you'd better have a 
local console/serial console already logged in at all times as otherwise 
it can't exec bash while logging in either ;)

could also be some shitty iptables counter based "ddos filter" which you 
may use (god knows why people use those, cause more trouble than their 
good for, just integrate attack filtering into your server software code 
and make sure "fake" connections take up as less resources as possible for 
as short time as possible, by running proxies in front of the real 
webserver for example that do the connection-per-ip-per-time counting and 
only take a few kb)

these so-called "ddos protection" scripts using iptables actually cause
simular problems to what you describe above, not just for tor, for any
service thats "used a lot", so just don't use them, they're crap ;).

ports that aren't open don't need "protection" in the first place, and you 
can always just DROP anything you don't want, much easier and less chance 
of it fucking up lets say ssh access.


On Tue, 12 Jan 2010, Markus Petersen wrote:

> Dear fellow Tor users,
>
> I have a problem that I hope someone is able to help me solving. I want
> to run a Tor relay (non-exit for the time being) on my VPS. The VPS has
> got 1GiB of memory, plenty of bandwidth, and I've got about 5TiB of
> traffic to spare each month, which I'd like to give to the Tor network.
>
> The problem is, when the relay has been running for some time (I haven't
> measured when exactly), I am unable to connect to my server. Neither ssh
> nor imap-logins work anymore. I tried rate-limiting the relay to
> 5000kBps and then 1000kBps, with the same results. The only thing that
> solves it is when I restart the server and disable Tor again.
>
> In short: what do I do now? Has anyone got any clue as to what the
> problem might be? I have a wild guess of the server not being able to
> have that many TCP connections, but how do I check something like that?
>
> Thank you!
>
> Regards,
> Markus
>
>



More information about the tor-relays mailing list