Relay ssh control/monitor ? Config is secure ?
Hi all, Some noob questions about controlling/monitoring my Tor relay on a Linux box... hosted in an ISP datacenter, so WAN IP and ports are showed to the www. I got SSH access. I've found tor-arm console UI, useful to show real-time bandwidth used, and other stuff. 1. If possible, I need to know if my current config is secure and useful, torrc contains ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0 2. On some websites, I see screenshots with something like this on control config : /var/run/tor/control May be it's more secure on an online server ? No need to have another listening port like 9051 Sry I haven't found any information about this config... and how to make it possible... Thx for your help !
Hi, the control port should bind to 127.0.0.1 or ::1. If so it's ok. ~Josef Am 27.01.2016 um 10:05 schrieb Pierre L.:
Hi all,
Some noob questions about controlling/monitoring my Tor relay on a Linux box... hosted in an ISP datacenter, so WAN IP and ports are showed to the www. I got SSH access. I've found tor-arm console UI, useful to show real-time bandwidth used, and other stuff.
1. If possible, I need to know if my current config is secure and useful, torrc contains ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
2. On some websites, I see screenshots with something like this on control config : /var/run/tor/control May be it's more secure on an online server ? No need to have another listening port like 9051 Sry I haven't found any information about this config... and how to make it possible...
Thx for your help !
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thx Josef for your answer. ( IPv4 only here...) So if I've understood, to limit online attacks, the torrc config will be changed from ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0 to: ControlPort 127.0.0.1:9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0 Thx. Le 27/01/2016 10:14, Josef 'veloc1ty' Stautner a écrit :
Hi,
the control port should bind to 127.0.0.1 or ::1. If so it's ok.
~Josef
Am 27.01.2016 um 10:05 schrieb Pierre L.:
Hi all,
Some noob questions about controlling/monitoring my Tor relay on a Linux box... hosted in an ISP datacenter, so WAN IP and ports are showed to the www. I got SSH access. I've found tor-arm console UI, useful to show real-time bandwidth used, and other stuff.
1. If possible, I need to know if my current config is secure and useful, torrc contains ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
2. On some websites, I see screenshots with something like this on control config : /var/run/tor/control May be it's more secure on an online server ? No need to have another listening port like 9051 Sry I haven't found any information about this config... and how to make it possible...
Thx for your help !
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi Pierre. Nope, no need to change your torrc - the control port is only available on localhost by default (not sure why Josef said that). I'd suggest using just password auth *or* an cookie auth. Using both doesn't make you more secure, it simply allows controllers to authenticate with either. Cookie auth is the easiest to work with. For a little more information on this see... https://stem.torproject.org/tutorials/the_little_relay_that_could.html Using a ControlSocket rather than a ControlPort wouldn't hurt, but I'd say the config you have is just fine. On Wed, Jan 27, 2016 at 1:45 AM, Pierre L. <petrus@miosweb.mooo.com> wrote:
Thx Josef for your answer. ( IPv4 only here...) So if I've understood, to limit online attacks, the torrc config will be changed from
ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
to:
ControlPort 127.0.0.1:9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
Thx.
Le 27/01/2016 10:14, Josef 'veloc1ty' Stautner a écrit :
Hi,
the control port should bind to 127.0.0.1 or ::1. If so it's ok.
~Josef
Am 27.01.2016 um 10:05 schrieb Pierre L.:
Hi all,
Some noob questions about controlling/monitoring my Tor relay on a Linux box... hosted in an ISP datacenter, so WAN IP and ports are showed to the www. I got SSH access. I've found tor-arm console UI, useful to show real-time bandwidth used, and other stuff.
1. If possible, I need to know if my current config is secure and useful, torrc contains ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
2. On some websites, I see screenshots with something like this on control config : /var/run/tor/control May be it's more secure on an online server ? No need to have another listening port like 9051 Sry I haven't found any information about this config... and how to make it possible...
Thx for your help !
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thx to you 2 for those useful explanations and url to read. Now it's ok for me for this question. Thx Le 27/01/2016 17:07, Damian Johnson a écrit :
Hi Pierre. Nope, no need to change your torrc - the control port is only available on localhost by default (not sure why Josef said that).
I'd suggest using just password auth *or* an cookie auth. Using both doesn't make you more secure, it simply allows controllers to authenticate with either. Cookie auth is the easiest to work with. For a little more information on this see...
https://stem.torproject.org/tutorials/the_little_relay_that_could.html
Using a ControlSocket rather than a ControlPort wouldn't hurt, but I'd say the config you have is just fine.
On Wed, Jan 27, 2016 at 1:45 AM, Pierre L. <petrus@miosweb.mooo.com> wrote:
Thx Josef for your answer. ( IPv4 only here...) So if I've understood, to limit online attacks, the torrc config will be changed from
ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
to:
ControlPort 127.0.0.1:9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
Thx.
Le 27/01/2016 10:14, Josef 'veloc1ty' Stautner a écrit :
Hi,
the control port should bind to 127.0.0.1 or ::1. If so it's ok.
~Josef
Am 27.01.2016 um 10:05 schrieb Pierre L.:
Hi all,
Some noob questions about controlling/monitoring my Tor relay on a Linux box... hosted in an ISP datacenter, so WAN IP and ports are showed to the www. I got SSH access. I've found tor-arm console UI, useful to show real-time bandwidth used, and other stuff.
1. If possible, I need to know if my current config is secure and useful, torrc contains ControlPort 9051 HashedControlPassword xxxxxxxxxxx CookieAuthentication 0
2. On some websites, I see screenshots with something like this on control config : /var/run/tor/control May be it's more secure on an online server ? No need to have another listening port like 9051 Sry I haven't found any information about this config... and how to make it possible...
Thx for your help !
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 28 Jan 2016, at 03:07, Damian Johnson <atagar@torproject.org> wrote:
Hi Pierre. Nope, no need to change your torrc - the control port is only available on localhost by default (not sure why Josef said that).
Some FreeBSD jail and OpenVZ configs assign 127.0.0.1 to a non-loopback interface. We're working on detecting that in Trac ticket #17901, until then, it's more reliably secure to use a ControlSocket on these systems. Alternately, you can confirm that: * The first IP address assigned to the FreeBSD jail is not a public address (FreeBSD redirects jail connections to 127.0.0.1 to the first jail IP address), or * OpenVZ has not assigned 127.0.0.1 to a non-loopback interface, you want it on lo* rather than venet* (you can use ifconfig or similar to check this) https://trac.torproject.org/projects/tor/ticket/17901 Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
participants (4)
-
Damian Johnson -
Josef 'veloc1ty' Stautner -
Pierre L. -
Tim Wilson-Brown - teor