How to setup a tor exit node on Debian and create a responsible torrc config file

Log into box as root and do the following to setup tor

(the box this was installed on was running Debian 8.5 x64)

  1. apt-get install -y tor ntp
  2. nano /etc/tor/torrc to edit your configuration file
  3. uncomment the “ORPort” setting line
  4. change the “ExitPolicy” lines as required to be relative
  5. uncomment and set the “ContactInfo” line to whatever you want your TorRelay to be named (publicly viewable)
  6. save file and exit
  7. service tor reload to restart the service and get the new edits working

Copy of our current torrc file

We highly encourage using an advanced or a more modified version of the torrc configuration file. This helps out the Tor community by preventing known malicious botnet traffic (ransomware, crimeware and malware) from using your tor relay or exit node. We recommend using the ‘Crimeware and Ransomware Prevention - ExitPolicy’ reject list from tornull + using the Reduced Exit Policy from Tor project. Configuring an advanced Exit Policy will help cut down on abuse complaints from your ISP, server terminations, and prevent a decent amount of malicious activity from using your server.

Where to host a tor exit node

We’re using DigitalOcean for this. A $10/m droplet using Debian 8 x64, 1 GB Memory / 30 GB Disk / 2 TB transfer and hosted at the DO Frankfurt, Germany location. DO is sorta weird when it comes to bandwidth usage. I submitted a support ticket asking about how to monitor overall BW usage at the DO backend level and they replied with basically “you cant and we wont charge you for exceeding the 2TB bw limit”..hrm. I certainly used way over 2TB of bw in October but my bill was only $10. So, ya, that’s really good. A lot of others recommend using OVH as well for tor exit nodes. If you want to consider all of the best hosting options, here is a neat list of current Tor Exit Nodes listed by ISP and here is a list of good/bad Tor hosting providers.

What to do if you get an abuse complaint

If you run the default and stock ExitPolicy while running an exit node, you most likely get abuse complaints within ~72 hours.

Luckily for us the Tor Project provides some base templates to use depending upon the type of abuse complaint to come in. You can view them all here. The best way to handle abuse complaints is to set up your exit node so that they are less likely to be sent in the first place.

Within ~24 hours of setting up our exit node that used the default stock ExitPolicy, two abuse complaints rolled in.

The first abuse complaint was an auto generated complaint from a box with fail2ban on it. Someone used the tor exit node to attempt and bruce for logins on another server.

The second abuse complaint was a claimed copyright infringement notice from company, IP-Echelon, an anti-piracy firm who works with copyright holders to protect their data online. Looks like this law firm has a script setup that scans torrent links they own and then subpoena/contact every single IP that downloads movies belonging to their client (Paramount Pictures Corporation). In this case it looks like it was a Shrek the Third bluray torrent. Here is a good template to use for DMCA complaints like this.

Evidentiary Information:
Infringed Work: Shrek the Third
Infringing FileName: Shrek the Third (BDrip 1080p ENG-ITA-GER-SPA-TUR) x264 bluray (2007)
Infringing FileSize: 4736643065
Infringer’s IP Address:
Infringer’s Port: 45697
Initial Infringement Timestamp: 2016-09-01T09:24:12Z

IMO, the best way to deal with abuse complaints generated from your Tor exit node is to respond and say you will add their IP ranges to you ExitPolicy reject rules. This let’s your ISP know you’re down to be pro-active about abuse as well as let’s the complainer know you want to help stop the abuse from happening.

So as you can see, you will have a lot less headaches and worry if you setup an advanced tor ExitPolicy to avoid a lot of these drama llamas. You can also setup fail2ban to harden your server and prevent any hacking/brute force ssh attempts on it.

To make people hella sure our exit node IP is not trying to be malicous, had to throw up a clear message, All you have to do is setup apache and then edit the index.html file located in /var/www/html.

Thanks for wanting to learn more about setting up a tor exit node and hopefully this was at least 1% helpful for you.

Additional reading

Stats on our current exit node

Running a Tor Exit Node for fun and e-mails

Fail2ban commands and reporting

TorWorld FastExit and FastRelay
Easy setup of a Tor Exit node or Tor Relay with responibly ExitPolicy pre-made to cut down on abuse.

Tor Null
Tor Null Advisory BL

Tor subreddit

Donate Bitcoin to keep our DC225 tor exit node alive and maintaned : 1Knbz4isVBZiCQxGHnYii26HkXcGwJTeYP