On Wed, 2013-09-25 at 19:10 +0300, Joe wrote:
Hi,
I'm planning to run a Tor relay on a spare computer at home. Security is a concern, and not only regarding the machine running the relay but also my other computers. Are there any (theoretical or otherwise) known attacks a person can perform on a running Tor relay to take remote control of it, and assuming the said person could pull that off, is it possible to extend this control to the other computers behind the same router? I am aware of possible DDOS attacks and other risks related to running an exit, but i am comfortable in taking these chances in my environment.
I would run the relay on a yet-undecided-Linux distro, possibly Mint Debian or some flavor of Ubuntu which i am more familiar with, and use full-disk encryption with strong passwords. Are there any risks to my other computers worth consideration?
Thanks. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hello Joe!
No absolute security exists, running Tor or not. Every software has undiscovered bugs and is theoretically exploitable. Since we migrated from assembly to higher level languages (and possibly before) we hid the cpu logic and added many layers of code which is run without the knowledge of programmers. There is no way to assert the negative: "there's no theoretical way of exploiting tor". The one who says that is only telling of his own ignorance.
Despite this, you should understand what tor does to at least prepare for Tor related attacks. Tor redirects other tor users network communications through your machine using standard TCP/IP. So one thing you should do is to have firewall enabled with appropriate rules. Everything closed except for open tor ports. You may also run tor on it's own network interface. You may run tor on non-standard ports to avoid tor related scanning. If this machine is behind a router/gateway you could create a separate interface and isolate it from the rest of LAN. If you are using debian, "harden" is a package I recommend you to install. Use mutt to check for mail on system logs. Set some kind of automated backup (rsync, duplicity) of /var at least. You should also configure firewall on the remaining machines.
If you need further help, ask here. But be sure to at least RTFM before.
C u