[tor-bugs] #30445 [Community/Relays]: some suggestions to the tor relay guide
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu May 9 00:40:10 UTC 2019
#30445: some suggestions to the tor relay guide
-------------------------+----------------------------------
Reporter: caioau | Owner: Nusenu
Type: enhancement | Status: new
Priority: Medium | Component: Community/Relays
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------+----------------------------------
Hello, I have some suggestions that I did in my relays to be listed in the
relay guide, they are:
1. create a non root user add that user to sudo group: root acess should
be disabled from ssh, so we need to create another user, the set
PermitRootLogin no in the sshd_config
2. ssh hardening
2.1 get new ssh host keys:
delete old keys (we cannot be sure if new keys were generated, so its good
to generate new keys)
{{{
sudo -s
cd /etc/ssh
rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key
ssh-keygen -t ed25519 -f ssh_host_ed25519_key
}}}
2.2 disable insecure ssh ciphers: openssh uses some insecure ciphers, se
in https://stribika.github.io/2015/01/04/secure-secure-shell.html
just put the followings lines in the sshd_config
{{{
HostKeyAlgorithms ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-
cert-v01 at openssh.com,ssh-ed25519,ssh-rsa
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group16-sha512
,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Ciphers
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm at openssh.com,hmac-
sha2-256-etm at openssh.com,umac-128-etm at openssh.com
}}}
2.3 disable password authentication and only use public key
authentication:
in your machine run:
ssh-keygen -t ed25519 -o -a 300 -f ~/.ssh/key
then copy to the server:
ssh-copy-id -i ~/.ssh/key user at server
then try login in with the key ( -i points to the keyfile)
then make sure that on the sshd_config has this settings:
{{{
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
}}}
2.4 (optional) change the default port, there are alot of bots trying to
get in , so changing the port makes sense to make their job more difficult
run: to get an random port number
{{{
python -c 'from random import SystemRandom as r;
print(r().randint(49152,65535))'
}}}
the change it in the Port setting in the sshd_config
2.5 limit the brute force, you can use fail2ban, but I find it simpler to
use ufw and instead of allowing ssh use the limit.
3.1 enable swap, sometimes when linux is out of memory then it kills the
tor process, so creating swap prevents that, or even better use zram.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30445>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list