[tor-relays] Debian relay Puppet module

Wed Jun 18 22:36:10 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/17/2014 02:09 PM, Zack Weinberg wrote:

> Tor relays get pounded on by the script kiddies -- a degree of 
> hardening is appropriate.  I don't know if there are any stock
> Puppet "tighten security" modules but these are the things that I
> remember

I don't have any Puppet modules or Chef recipes, but I do have a Git
repo of some basic hardened Ubuntu config files (v12.04 and v14.04)
that might be a good place to start:

https://github.com/virtadpt/ubuntu-hardening

> - install fail2ban and ufw; firewall incoming traffic to ports
> other than 9001, 9030, and 22 (ssh) (I don't think the marginal
> benefit of moving ssh to a nonstandard port is worth the hassle).

I do both on some of my machines and it's helped a lot.  It definitely
cut down on the "portscan the box, resume pounding on SSH like
woodpeckers on meth."

> - install logcheck and nullmailer; set /etc/nullmailer/adminaddr
> and /etc/nullmailer/remotes to values assigned in Puppet
> configuration; symlink /etc/nullmailer/helohost to /etc/hostname.
> (ufw and sshd will emit a great deal of chatter due to people
> knocking on the machine.  I have custom ignore.d.server files to
> shut them up - basically I've set it to mail me only on
> *successful* logins.  Let me know if you want 'em.)

I'm curious; never used nullmailer before though I do use logcheck
pretty heavily.

> - install unattended-upgrades and configure it to auto-upgrade 
> everything.  Unfortunately, the unattended-upgrades documentation
> is at pains to avoid explaining how to do that; this is what I have
> in

`sudo dpkg-reconfigure -plow unattended-upgrades`

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Sometimes the only thing more dangerous than a question is an answer.