[tor-relays] doc/HARDENING Draft
Zack Weinberg
zackw at cmu.edu
Tue Nov 25 16:15:42 UTC 2014
On Mon, Nov 24, 2014 at 11:29 PM, Tor Operator <tor at ssessess.es> wrote:
> On Mon, Nov 24, 2014 at 06:09:34PM -0500, Libertas wrote:
>> Be sure to stay up-to-date using apt-get, and consider using cron-apt to
>> automatically update:
>> https://www.debian.org/doc/manuals/debian-faq/ch-uptodate.en.html
>
> Maybe it also worth covering unattended-upgrades package to keep Debian up to
> date. It requires to run "dpkg-reconfigure unattended-upgrades" after install
> as it doesn't enable automatic upgrades right away after install and supposedly
> don't do potentially dangerous operations like kernel upgrades automatically.
> Using it in production myself, really helps to keep OS up to date.
Agreed, but note that unattended-upgrades does not restart services
whose libraries have been upgraded underneath them -- that's rather
important for making sure that an OpenSSL patch, for instance,
actually gets loaded into the running Tor and SSH daemons. You need
'needrestart' as well (and it, too, has to be configured to do stuff
automatically).
zw
More information about the tor-relays
mailing list