[tor-relays] hardening a tor relay
Morgan Smith
tor-exit0 at intersafeit.com
Thu May 22 16:08:29 UTC 2014
On 5/21/2014 7:38 PM, Moritz Bartl wrote:
> The problem with selective filters for outgoing traffic is that Tor
> needs to be able to connect to all other Tor relays, some of which use
> non-standard ports.
One could add a rule to the OUTPUT chain that allows all traffic from
the tor user (or uid). This allows one to maintain non-tor related
outbound rules without interfering with tor itself. On a hypothetical
system where the uid under which tor runs is 501 an iptables rule like
this should work:
iptables -I OUTPUT -p tcp -m owner --uid-owner 501 -j ACCEPT
One resource for ideas on how to harden a system is the NSA. I for one
have referenced these two docs on more than one occasion (clearnet
links) and they can be adopted conceptually into many other distros:
http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf
--
Morgan Smith | IntersafeIT
Phone/Fax: +1 (888) 623-7444
morgan at intersafeit.com
www.intersafeit.com | intersafewhe4eoy.onion
Twitter: @IntersafeIT | GnuPG ID: 9CDD26C7
More information about the tor-relays
mailing list