Hi all, I've been running a few fail relays over the past few years. All relays I run they begin with the prefix "Telos". I've recently come across a really good deal http://www.soyoustart.com/ca/en/ on hosting..., and begun hosting "TelosTor" and "TelosTor2" from 192.99.8.96. I would welcome any comments on security. At the moment I do not have a stable IP to access them, so have defaulted to 1/min IP access for OpenSSH. I would relish the TOR communities feedback in order to further secure my tor exit node. Thanks! Craig
Hello, I'm very interested in your endeavor, because SoYouStart is part of OVH, and they don't really like exit-relays a lot. Please inform us if your ISP does something against the relay. Ad security: Make sure you use public-key ssh login and have any kind of password-login disabled. Try to find a secure storage for your private key, a smart card (YubiKey or OpenPGP smartcard for instance) or access the server only from a live OS and have the private key stored on a medium that you only use together with the live OS. Craig C-S:
Hi all,
I've been running a few fail relays over the past few years. All relays I run they begin with the prefix "Telos". I've recently come across a really good deal http://www.soyoustart.com/ca/en/ on hosting..., and begun hosting "TelosTor" and "TelosTor2" from 192.99.8.96. I would welcome any comments on security. At the moment I do not have a stable IP to access them, so have defaulted to 1/min IP access for OpenSSH. I would relish the TOR communities feedback in order to further secure my tor exit node.
Thanks! Craig
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
You could have ssh only available through an authenticated hidden service... and if you are worried about not being able to get back into the vps then you could make ssh also available via knockknock: http://www.thoughtcrime.org/software/knockknock/ On Wed, Feb 5, 2014 at 11:45 AM, I <beatthebastards@inbox.com> wrote:
This is a good question. Perhaps 'hardening' a server could be addressed on the new web pages. It would seem to be important and pertinent for all who take the plunge and set-up a relay on a virtual private server but who may not know more than that, to secure their servers.
I would be glad to be better informed but so far I have found:-
use a substantial password or key authentication change the port you SSH in to don't allow logging in as root install DenyHosts and Fail2ban
Robert
Hi all,
I've been running a few fail relays over the past few years. All relays I run they begin with the prefix "Telos". I've recently ... begun hosting "TelosTor" and "TelosTor2" from 192.99.8.96. I would welcome any comments on security. ... I would relish the TOR community's feedback in order to further secure my tor exit node.
Thanks! Craig
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Also, if you know how set the operating system to update automatically to keep it secure. Robert
Thanks all for the advice! Things to do: - I'll be looking to run Moxie Marlinspike's knockknock daemon soon as that seems like a superior solution to port knocking and rate limiting. (big fan of his work on TextSecure and RedPhone!) - Run OpenSSH as a hiddenservice. This seems obvious now but had not occurred to me. - Look into Fail2Ban and DenyHosts and implement them. Done and thank you for the reminders! - Automated daily updates via emerge - Server hardening done with hardened-gentoo - Moved to key auth for ssh Alan: I'll keep you and the community updated if soyoustart.com (OVH) has any problem with the exit. Beyond forgetting to ban exits to 25 they have not said anything! Thanks Alan, David and Robert! Craig On Wed, Feb 5, 2014 at 5:12 PM, I <beatthebastards@inbox.com> wrote:
Also, if you know how set the operating system to update automatically to keep it secure.
Robert
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
No not just a hidden service but an authenticated hidden service. Also Knockknock is a port knocker... which uses cryptographic authentication. On Thu, Feb 6, 2014 at 7:04 AM, Craig C-S <craigcsis@gmail.com> wrote:
Thanks all for the advice!
Things to do: - I'll be looking to run Moxie Marlinspike's knockknock daemon soon as that seems like a superior solution to port knocking and rate limiting. (big fan of his work on TextSecure and RedPhone!) - Run OpenSSH as a hiddenservice. This seems obvious now but had not occurred to me. - Look into Fail2Ban and DenyHosts and implement them.
Done and thank you for the reminders! - Automated daily updates via emerge - Server hardening done with hardened-gentoo - Moved to key auth for ssh
Alan: I'll keep you and the community updated if soyoustart.com (OVH) has any problem with the exit. Beyond forgetting to ban exits to 25 they have not said anything!
Thanks Alan, David and Robert!
Craig
On Wed, Feb 5, 2014 at 5:12 PM, I <beatthebastards@inbox.com> wrote:
Also, if you know how set the operating system to update automatically to keep it secure.
Robert
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi Craig, Fail2Ban, key only login, firewall, and timely updates will probably cover 99% of your risks (although I'd also suggest disabling / removing any unused services), however if you want to go further this is an excellent guide to linux security; http://crunchbang.org/forums/viewtopic.php?id=24722 . Cheers, Dan On 2014-02-06 07:04, Craig C-S wrote:
Thanks all for the advice!
Things to do: - I'll be looking to run Moxie Marlinspike's knockknock daemon soon as that seems like a superior solution to port knocking and rate limiting. (big fan of his work on TextSecure and RedPhone!) - Run OpenSSH as a hiddenservice. This seems obvious now but had not occurred to me. - Look into Fail2Ban and DenyHosts and implement them.
Done and thank you for the reminders! - Automated daily updates via emerge - Server hardening done with hardened-gentoo - Moved to key auth for ssh
Alan: I'll keep you and the community updated if soyoustart.com [2] (OVH) has any problem with the exit. Beyond forgetting to ban exits to 25 they have not said anything!
Thanks Alan, David and Robert!
Craig
On Wed, Feb 5, 2014 at 5:12 PM, I <beatthebastards@inbox.com> wrote:
Also, if you know how set the operating system to update automatically to keep it secure.
Robert
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [1]
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [1]
-- Dan Rogers +44 7539 552349 skype: dan.j.rogers gpg key [3] linkedin [4] | songkick [5] | twitter [6] | spotify [7] | music [8] Links: ------ [1] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [2] http://soyoustart.com [3] https://secure.techwang.com/gpg/public_key.txt [4] http://www.linkedin.com/in/danrogerslondon [5] http://www.songkick.com/users/music-is-math [6] http://twitter.com/danjrog [7] http://open.spotify.com/user/bonkbonkonk [8] http://holdingitwrong.com
Would it be possible for someone to change the captcha images at the URL for getting bridges, without of course lessening their effectiveness? The present ones are pretty much unreadable, to this human at least. - eliaz --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
eliaz:
Would it be possible for someone to change the captcha images at the URL for getting bridges, without of course lessening their effectiveness? The present ones are pretty much unreadable, to this human at least. - eliaz
The issue is already tracked, see: https://trac.torproject.org/projects/tor/ticket/10809 -- Lunar <lunar@torproject.org>
On 2014-02-10 15:16, eliaz wrote:
Would it be possible for someone to change the captcha images at the URL for getting bridges, without of course lessening their effectiveness? The present ones are pretty much unreadable, to this human at least. - eliaz
Just in case, it is not your eyes or brain that are at fault, that is indeed completely indeed unreadable for humans. And what I can decode from it, those are not 'words', they are groupings of random letters it seems. There is a ticket open about this though: https://trac.torproject.org/projects/tor/ticket/10809 Thus folks are working on resolving this, though it is a rather hard problem. Greets, Jeroen
participants (8)
-
Alan Turing -
Craig C-S -
Dan Rogers -
David Stainton -
eliaz -
I -
Jeroen Massar -
Lunar