[tor-relays] Relay operators: help improve this hardening document?

Fri Feb 6 16:08:47 UTC 2015

Hi,

Many of you are advanced *nix users. Some of us aren't. So first I'd 
like to thank mmcc for writing the document.

I've spent weeks bungling around trying to figure out how to manage my 
several exit relays in the most responsible manner..

I've managed to create a reasonably interesting install and setup script 
to deal with the initial configuration, locking down certain things - 
the most basic of OPSEC.

I'm not an expert. I've been biding my time, learning as much as I can 
when I can. But I have a full time job, and a pregnant wife!

Iptables is an advanced firewall. Iptables is a pain in the ass for new 
users to expertly configure. Basic settings aren't difficult, but I 
don't want basic. I've given up trying to manually write Iptables 
settings because I never left secure enough (due to my ignorance). For 
now I use ufw; open specific ports to tcp traffic, and default deny - 
and I'm not happy about it.
I would love a detailed example of iptables rules for reduced exit 
relays, and middle relays - because no I don't fully understand the ins 
and outs of every possible scenario. A half ass firewall is barely any 
better than no firewall, in my opinion.
I want to *know* what I tell iptables to do, and not rely on ufw to take 
care of me. I don't want to believe I've setup a good firewall, I want 
to KNOW I've setup the strongest I can!

I want to know Tor Best OPSEC Practices, because generic *nix Best 
Practices don't always match, and the considerations *are* different. I 
want to know what services I can disable in Debian, specific to Tor, 
because I don't know the linux subsystem well enough.

I want to make sure my relays are the best I can make them, the most 
secure I can make them, to ensure I provide the community the best I 
can. But I'm not an expert - barely a novice. I'm a guy with a heart 
that believes in free speech and privacy. I'm not a security guru 
(yet...).

My personal opinion is the Tor community should be a champion of OPSEC 
period, for everyone. But that is me. Anonymity, privacy, and security 
go hand in hand. The Tor community has some real experts in this field, 
and a little contribution would do a world of help. Yes, links to well 
written articles is perfectly adequate - you don't need to re-invent the 
wheel, but a central source of awesome material would be fantastic! Both 
for end-users, and relay operators!

And besides, who doesn't like a good community derived checklist to 
ensure relative consistency between relay configurations? :)

None of this constitutes "general computer training." The issues, though 
many, are quite specific.

Please remember, we're all trying to do the best we can - but we're not 
all at your level. Some of us are quite busy in real life, and don't 
have the time to learn EVERYTHING, though I admit that begrudgingly. 
Being an autodidact it is incredibly frustrating that I don't know 
everything about a topic that interests me.

My 2 cents. This email was intended to be short, but it blew up. So, I 
apologize.

Kind regards,

Matt
Speak Freely