On Sun, Jun 15, 2014 at 7:31 AM, Alexander Fortin alexander.fortin@gmail.com wrote:
I’ve recently joined the Tor Project and I have been running a non exit relay for a few days.
I’m also a Puppet user and, more in general, I try to make deploying applications on the servers I administer as easy as possibile, Tor included.
I think Tor documentation to install on a Debian server is quite good, but I still prefer to have Puppet doing that for me, and I’m quite sure every Puppet user out there would think the same.
Hey, thanks for doing this! I have kinda wanted to put something similar together for a while but haven't had the time. Here are some thoughts, in no particular order:
Why do you disable directory mirroring? It's my understanding that this should basically always be on.
It would be nice if exit-relay mode enabled an HTTP "exit notice" as described at https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment.
Tor relays get pounded on by the script kiddies -- a degree of hardening is appropriate. I don't know if there are any stock Puppet "tighten security" modules but these are the things that I remember having done to mine. Note that my relays serve no other traffic and have no non-root user accounts; some of these configuration choices may be inappropriate for multi-use machines.
- install fail2ban and ufw; firewall incoming traffic to ports other than 9001, 9030, and 22 (ssh) (I don't think the marginal benefit of moving ssh to a nonstandard port is worth the hassle). - sshd_config configuration tuning: beware that this will lock out any user account with no SSH authorized_keys!
Protocol 2 UsePrivilegeSeparation yes PermitRootLogin without-password PasswordAuthentication no ChallengeResponseAuthenticatio n no HostbasedAuthentication no IgnoreRhosts yes StrictModes yes X11Forwarding no Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
- install logcheck and nullmailer; set /etc/nullmailer/adminaddr and /etc/nullmailer/remotes to values assigned in Puppet configuration; symlink /etc/nullmailer/helohost to /etc/hostname. (ufw and sshd will emit a great deal of chatter due to people knocking on the machine. I have custom ignore.d.server files to shut them up - basically I've set it to mail me only on *successful* logins. Let me know if you want 'em.)
- install unattended-upgrades and configure it to auto-upgrade everything. Unfortunately, the unattended-upgrades documentation is at pains to avoid explaining how to do that; this is what I have in /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Origins-Pattern { "o=Debian,a=stable"; "o=Debian,a=stable-updates"; "o=TorProject,a=stable"; }; Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Mail "root" Unattended-Upgrade::MailOnlyOnError "true";
- I'd *like* to recommend pulling libssl from testing, but right now that also means upgrading libc, which seems unwise.
- I'd also like to recommend a kernel enhanced-security module, but I was unable to get SELinux to the point where I could turn enforcement on without breaking boot (and when I finally gave up and purged it, the relay I was testing that on sped up by 15%!), AppArmor seems too half-assed to actually be worth it, and Debian doesn't have grsec kernel packages.
zw