[tor-relays] Debian relay Puppet module

Zack Weinberg zackw at cmu.edu
Wed Jun 18 14:06:03 UTC 2014 

On Wed, Jun 18, 2014 at 3:01 AM, Alexander Fortin
<alexander.fortin at gmail.com> wrote:
> On 17. Juni 2014 at 23:56:43, Zack Weinberg (zackw at cmu.edu) wrote:
>> It would be nice if exit-relay mode enabled an HTTP "exit notice" as
>> described at https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment.
>
> Point 4 says: "If you run your DirPort on port 80”. Should it be enabled only when DirPort = 80?

Best practice as I understand it is that you should have an exit
notice on all exit relays.  What I'm not sure of is whether "DirPort
80 + DirPortFrontPage" is the recommended way to accomplish that.  The
CMU Tor exit uses a separate lighttpd install, I think primarily
because we didn't know about DirPortFrontPage when we set it up.  I
can make a case either way - less software = less attack surface;
separate install = compartmentalization.

As long as we're talking about exits, a nice touch would be to include
the reduced exit policy as an option (
https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy );
the ideal would be a three-way choice of not an exit / wide-open exit
/ reduced exit (no email or BitTorrent) plus a place to add local exit
rules.

>> Tor relays get pounded on by the script kiddies -- a degree of
>> hardening is appropriate. I don't know if there are any stock Puppet
>> "tighten security" modules [...]
>
> I don’t know of any such ‘security silver bullet module’ I am afraid :)

I poked around in the Puppet module archive and found some; I'm not
sure how good they are, though.

> About the security enhancements, they are definitely interesting, but to me seems
> they are out of the scope of the ‘install relay’ Puppet module itself, and also against
> the usual modular approach of Puppet modules. First, my understanding is that
> having a node with only Tor running is suggested, but not mandatory, but in any
> case, those enhancements are more suitable for a separate 'tor-security’ like
> module that one may or may not be interested in.

Yeah, I think if I were building this (regrettably, I don't have time
to help more than I already have) there would be a "just install the
software with configuration X" module, and then a "image this entire
machine as a Tor relay" module that set up everything one might want.

zw

More information about the tor-relays mailing list