[tor-relays] hardening a tor relay
Noilson Caio
caiogore at gmail.com
Fri May 23 21:16:56 UTC 2014
Nice thread. in my case (tor exit node):
Output only security connections;
ExitPolicy accept *:22
ExitPolicy accept *:443
ExitPolicy accept *:465
ExitPolicy accept *:995
ExitPolicy accept *:993
ExitPolicy reject *:*
Block all output like http and smtp in my netfilter (Gnu Linux);
-A OUTPUT -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -p tcp -m tcp --dport 110 -j DROP
etc ..
I had problems with portscan originated in my output. Even without
ExitPolicy accept
EX:
Dear Sir/Madam,
We have detected abuse from the IP address MYIPADDRESS, which according to
a whois lookup is on your network. We would appreciate if you would
investigate your logs and take action as appropriate.
Log lines are given below, but please ask if you require any further
information.
(If you are not the correct person to contact about this please accept our
apologies - your e-mail address was extracted from the whois record by an
automated process.)
Regards,
Critical Path, Inc.
Note: Local timezone is +0000 (GMT)
Jan 15 16:03:00 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:07 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:11 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:14 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:17 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:18 65.20.0.47 pop3: Failed password from MYIPADDRESS
******************************
------------------------- END ------------------------------------
to keep me in a comfort zone, I installed OSSEC. OSSEC is an Open Source
Host-based Intrusion Detection System that performs log analysis, file
integrity checking, policy monitoring, rootkit detection, real-time
alerting and active response.
example of my latest incidents:
OSSEC HIDS Notification.
2014 May 23 11:45:44
Received From: darkstar->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
May 23 12:45:44 darkstar kernel: tor: page allocation failure. order:0,
mode:0x20
--END OF NOTIFICATION
'm Slowly creating rules (regular expressions) to OSSEC for the Tor messageand
treating facilities.
On Thu, May 22, 2014 at 2:31 PM, Paul Staroch <paulchen at rueckgr.at> wrote:
> Am 2014-05-22 02:23, schrieb Contra Band:
> > # Allow incoming 9050
> > iptables -A INPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED
> -j ACCEPT
> > iptables -A OUTPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j
> ACCEPT
> >
> > # Allow outgoing 9050
> > iptables -A OUTPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED
> -j ACCEPT
> > iptables -A INPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j
> ACCEPT
> >
> > # Allow incoming 9051
> > iptables -A INPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED
> -j ACCEPT
> > iptables -A OUTPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j
> ACCEPT
> >
> > # Allow outgoing 9051
> > iptables -A OUTPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED
> -j ACCEPT
> > iptables -A INPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j
> ACCEPT
>
> Do you actually need remote access to ports 9050 (Socks proxy) and 9051
> (control port)? By default, Tor opens these ports on the loopback interface
> only.
>
>
> Paul
>
>
>
>
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
--
Noilson Caio Teixeira de Araújo
https://ncaio.wordpress
<http://ncaio.ithub.com.br>.com<http://ncaio.ithub.com.br>
https://br.linkedin.com/in/ncaio <http://br.linkedin.com/in/ncaio>
https://twitter.com/noilsoncaio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140523/d0804d69/attachment.html>
More information about the tor-relays
mailing list