Few tools for a Tor relay.
ipv4-rules.sh and ipv6-rules.sh filter ip addresses DDoSing a Tor relay and/or the network by opening dozens of TLS connections (a Tor client should open just 1 TLS connection and handle all circuits over that one connection) to the local ORPort in a short time (issue 40636).
Technically the ip addresses are stored in a so-called ipset which is blocked then. The current iptables rule set blocks about 200-500 addresses at these 2 relays (each serving about 10K connections).
The script ipset-stats.sh plots the histogram from those ip sets helping to optimize the filter rules:
for i in 1 2 3 4 5 6
do
ipset-stats.sh -d > /tmp/ipset.$i.txt
sleep 1800
done
ipset-stats.sh -p /tmp/ipset.?.txt
info.py gives a summary of a Tor relay:
$> info.py --ctrlport 9051
0.4.8.0-alpha-dev uptime: 2-08:25:40 flags: Fast, Guard, Running, Stable, V2Dir, Valid
+------------------------------+-------+-------+
| Type | IPv4 | IPv6 |
+------------------------------+-------+-------+
| Inbound to our OR from relay | 2269 | 809 |
| Inbound to our OR from other | 2925 | 87 |
| Inbound to our ControlPort | 2 | |
| Outbound to relay OR | 2823 | 784 |
| Outbound to relay non-OR | 4 | 4 |
| Outbound exit traffic | | |
| Outbound unknown | 40 | 29 |
+------------------------------+-------+-------+
| Total | 8063 | 1713 |
+------------------------------+-------+-------+
For a monitoring of exit connections use ps.py:
$> ps.py --ctrlport 9051
port # opened closed max ( "" ::1:9051, 8998 conns 0.28 sec )
853 3 3 1 1 (None)
5222 42 42 (Jabber)
5223 4 4 (Jabber)
5269 2 2 (Jabber)
6667 4 4 (IRC)
7777 3 3 (None)
orstatus.py logs the reasons of circuit closing events, orstatus-stats.sh made stats of its output.
key-expires.py returns the seconds till expiration of the mid-term signing key:
$> key-expires.py /var/lib/tor/data/keys/ed25519_signing_cert
7286915
You need the Python library Stem for the python scripts:
cd /tmp
git clone https://github.com/torproject/stem.git
export PYTHONPATH=$PWD/stem
gnuplot for the -stats.sh scripts and jq at least for get-authority-ips.sh.