-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I thought I'd share an initial draft of doc/HARDENING. Please share any opinions or contributions you have. This was written in a little more than an hour, so it's still a work in progress. However, in the spirit of prototyping before polishing, I thought I'd share early.
Here's the relevant ticket:
https://trac.torproject.org/projects/tor/ticket/13703
A specific topic of conversation is how much of the advice should be in the document itself as opposed to linked sources.
It could also use more OS diversity. After reading it, you can probably guess which *nix flavors I'm familiar with.
Enjoy, Libertas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I'm considering opening it with something like:
As a Tor relay operator, you have a responsibility to your users to maintain a secure system. Consider yourself something like a small ISP - - people rely on you for their safety and privacy.
On 11/24/2014 06:09 PM, Libertas wrote:
I thought I'd share an initial draft of doc/HARDENING. Please share any opinions or contributions you have. This was written in a little more than an hour, so it's still a work in progress. However, in the spirit of prototyping before polishing, I thought I'd share early.
Here's the relevant ticket:
https://trac.torproject.org/projects/tor/ticket/13703
A specific topic of conversation is how much of the advice should be in the document itself as opposed to linked sources.
It could also use more OS diversity. After reading it, you can probably guess which *nix flavors I'm familiar with.
Enjoy, Libertas
_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
That works too. I was trying to convey a sense of immediate personal responsibility by using the term "your users", but it could be misunderstood.
By the way, what's the policy for having discussions that span multiple mailing list subjects (tor-relays and tor-dev, in this case)? I'm not sure how to best do this without spamming people or fragmenting conversations.
On 11/24/2014 06:22 PM, I wrote:
"..to Tor users and the Tor system"?
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date.
Also for protecting SSH SSHGuard is in my opinion a much better choice as it supports IPv6 unlike fail2ban (I heard there were patches for fail2ban to address that but I'm not sure if they are already in mainstream and available in all distributions).
cron-apt is also a viable option for debians.
https://wiki.archlinux.org/ is afaik the best standard repository of all knowledge and wisdom about current linux, always solved my debian-*codename* problems.
On 25 November 2014 at 05:29, Tor Operator tor@ssessess.es wrote:
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date.
Also for protecting SSH SSHGuard is in my opinion a much better choice as it supports IPv6 unlike fail2ban (I heard there were patches for fail2ban to address that but I'm not sure if they are already in mainstream and available in all distributions).
-- Random
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Thanks for the heads-up about unattended-upgrades, I hadn't heard of that.
And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
On 11/24/2014 11:29 PM, Tor Operator wrote:
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date.
Also for protecting SSH SSHGuard is in my opinion a much better choice as it supports IPv6 unlike fail2ban (I heard there were patches for fail2ban to address that but I'm not sure if they are already in mainstream and available in all distributions).
Hi,
On Tue, Nov 25, 2014 at 10:58:57AM -0500, Libertas wrote:
And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs:
iptables & ip6tables under linux:
# ssh incoming # bucket: /proc/net/xt_recent/SSH - see for stats # ipv4 iptables -N SSHSCAN iptables -F SSHSCAN
iptables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT> -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH --rsource iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j ULOG --ulog-prefix "SSH-Bruteforce iptables: " iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP iptables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT # ipv6 ip6tables -N SSHSCAN ip6tables -F SSHSCAN
ip6tables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT>8080 -m state --state NEW -j SSHSCAN ip6tables -A SSHSCAN -m recent --set --name SSH --rsource ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j LOG --log-prefix "SSH-Bruteforce iptables: " ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP ip6tables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT
pf under FreeBSD:
block quick from <blacklist> # . # . # . pass in proto tcp from any to <YOUR-IP> port = <YOUR-SSH-Port flags S/SA keep state \ (max-src-conn 4, max-src-conn-rate 4/10, overload <blacklist> flush global) label "ssh: in "
You can adjust the parameters to control when a host is blacklisted and for how long.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/27/2014 07:50 PM, tor@zengers.de wrote:
And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs: ...
True, and thanks for the examples. I think the daemons are probably a better move for those who aren't firewall veterans, as everyone else would probably be copy-and-pasting firewall configs like the ones you gave and praying that they worked. The daemons probably also have more nuanced and flexible policies.
You also reminded me of a big factor I forgot to mention in the doc: firewalls.
Stop
Sent from my iPhone
On Nov 27, 2014, at 8:42 PM, Libertas libertas@mykolab.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/27/2014 07:50 PM, tor@zengers.de wrote: And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs: ...
True, and thanks for the examples. I think the daemons are probably a better move for those who aren't firewall veterans, as everyone else would probably be copy-and-pasting firewall configs like the ones you gave and praying that they worked. The daemons probably also have more nuanced and flexible policies.
You also reminded me of a big factor I forgot to mention in the doc: firewalls. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCAAGBQJUd9MUAAoJELxHvGCsI27NlY0P/0MeYML3CCLlF3JHRDVy85CE FjjQlUjIH3wnTGuQJE/ooubWH8KslLhSq2PjBXMgxuObshf9DEHWHy7KNYvAJ+GE 1VMjONDV6uuZILLPur1UxFlSPrB2LfzBJCqLfx/LmtQFPoH3AztJnkyqLZIkVcMs X8IJ4Dv2kvX3q9oIXdqyiTECLSsAZ5GyhOcNPZGLdijaijWL6ajrpq74NE89cjNu TX4d5eR2WSJm18lQ3ViOwh4DmdRA/HeqtH/M3/DsDJvOP4D5lrERrc6ghBShZdsl dKndLPLWFTGGdV4DAbn96FBZQW9q2feRb+DBSdOXPlc8KqOFF2BMrb2a4tWv/szs uiTqsYTDj7TkvOLIR3Y1V1uRm6WvxdU5FKNH7+qouQg8G4hLPrcxmIGOTELDZtzn s30ffOScgM7kn3qb8hbs50peMDb3A67GXgNFnvFSf1eAaWJQdDbzYEfxzBzGvtvb DYCeavXAKC8LsgRIcfjnuhPuTfP0PSKX0RABgPR0hkt3TGsCObMSUETHD1IqRv+1 wWjLf+52Kn9ZwPxPxUt8yngaOZr9iGAKlQJJwoacujAFCjoGR+SflEojFjBcdyVV mZqgyDgSeAhPZyMIY5shY5VJcT7wBbUy8oLSEjdfOxrfUe4dHLPfGvPmv7U2sJQX rVwbNoRfYr2mhgLap7dN =UtrW -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
On Thu, Nov 27, 2014 at 08:42:44PM -0500, Libertas wrote:
True, and thanks for the examples. I think the daemons are probably a better move for those who aren't firewall veterans, as everyone else would probably be copy-and-pasting firewall configs like the ones you gave and praying that they worked. The daemons probably also have more nuanced and flexible policies.
yeah you're right about that. But when it comes to security, you should but in the extra effort :-). And I didn't want to say, don't use these daemons. I'm just saying if you have trouble or want a solution without any extra software, the firewalls can do this.
You also reminded me of a big factor I forgot to mention in the doc: firewalls.
Hehe no problem.
Thx for putting up with the effort to create such a doc.
On Mon, Nov 24, 2014 at 11:29 PM, Tor Operator tor@ssessess.es wrote:
On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
Be sure to stay up-to-date using apt-get, and consider using cron-apt to automatically update: https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
Maybe it also worth covering unattended-upgrades package to keep Debian up to date. It requires to run "dpkg-reconfigure unattended-upgrades" after install as it doesn't enable automatic upgrades right away after install and supposedly don't do potentially dangerous operations like kernel upgrades automatically. Using it in production myself, really helps to keep OS up to date.
Agreed, but note that unattended-upgrades does not restart services whose libraries have been upgraded underneath them -- that's rather important for making sure that an OpenSSL patch, for instance, actually gets loaded into the running Tor and SSH daemons. You need 'needrestart' as well (and it, too, has to be configured to do stuff automatically).
zw
On Monday 24 November 2014 18:09:34 Libertas wrote:
Here's the relevant ticket:
https://trac.torproject.org/projects/tor/ticket/13703
A specific topic of conversation is how much of the advice should be in the document itself as opposed to linked sources.
It could also use more OS diversity. After reading it, you can probably guess which *nix flavors I'm familiar with.
Enjoy, Libertas
I would add the following advice:
Don't store identity keys on the hard disk. Keep them offliner. Use a ramdisk for /var/lib/tor/keys/ and copy keys to it via scp before starting your tor instance. Remove it from the ramdisk after startup. So the keys cannot be easily taken during unexpected downtimes.
Regards,
torland
Hi,
On Tue, Nov 25, 2014 at 08:58:04PM +0100, tor-admin@torland.me wrote:
Don't store identity keys on the hard disk. Keep them offliner. Use a ramdisk for /var/lib/tor/keys/ and copy keys to it via scp before starting your tor instance. Remove it from the ramdisk after startup. So the keys cannot be easily taken during unexpected downtimes.
that's a nice idea. But keep in mind that your ramdisk could be offloaded to swap. So make sure your swap is encryted too. Also your keys could still be stolen while the server is running.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/24/2014 4:09 PM, Libertas wrote:
I thought I'd share an initial draft of doc/HARDENING. Please share any opinions or contributions you have. This was written in a little more than an hour, so it's still a work in progress. However, in the spirit of prototyping before polishing, I thought I'd share early.
Thank you for sharing.
There may be mixed opinions about using a resource like this but the NSA's Guide to the Secure Configuration of Red Hat enterprise Linux 5 [0] covers a great deal of areas that can apply to other distros. Much of it appears to be included in the debian documentation (which I believe the .pdf also references).
One might consider fwknop [1] to require single packet authentication (SPA) before the target ssh port is opened for you and and only for a few seconds. Sure, moving your ssh to a non-standard port makes for clean logs but having the port closed to all unless validated through SPA can present a significant hurdle for a more dedicated adversary.
I've heard of a lot of people using fail2ban but not csf [2] however nobody has really weighed in on why. There are ways of integrating fwknop with csf. I'd be happy to share more info by request.
Also let us not forget astandard access restriction layers like tcpwrappers, and pam + /etc/security/access.conf for ssh.
[0] https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf [1] https://www.cipherdyne.org/fwknop/ [2] http://configserver.com/cp/csf.html (http link because of invalid ssl cert)
tor-relays@lists.torproject.org
-
Garrett DeBoer -
I -
Libertas -
Tor Operator -
tor-admin@torland.me -
tor-exit0 -
tor@zengers.de -
usprey -
Zack Weinberg