[tor-relays] 7 relays gone because of spammers

Fri Feb 27 15:12:55 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm not a big fan of adding more complexity to "impove" security.

With fail2ban [1] you run the risk of, for example, someone
bruteforcing your ssh from every exit node they can find, then your
relay blocking those exits meaning there are certain circuits that
you're stopping clients from making.
Instead of fail2ban I recommend using a non-standard port for SSH
defeat the majority of bruteforce attempts, this will stop pretty much
all the bad ssh traffic you're seeing, most of it is botnets and
they're not very smart and won't waste time, they're looking for the
low-hanging fruit (I don't have to outrun the bear, just you).

rkhunter has had a few vulns [2][3] that allowed privesc (lets use
predictable filenames in /tmp!) and we all know that signature based
detection is terrible anyway.

clamav has a track record [4] that should make you instantly just
throw it on the fire too! If you think the data might be evil *don't*
try and use your home-rolled parser to try and do in-depth analysis of
it automatically!

Keep it simple, have a restricted inbound port policy, if you can use
a hardened kernel with grsec/pax and apparmor (or your prefered MAC)
profiles to help compartment and reduce the pivot room for any
potential exploit if it is successful.

Also, use key auth and deny password logins for your ssh, if possible.
I'd recommend that you don't use DSA or ECDSA though, if you're on a
modern openssh then ed25519 is fine otherwise use the tried-and-true RSA.

[1] -
http://www.osvdb.org/search/search?search[vuln_title]=fail2ban&search[text_type]=titles&search[refid]=&search[referencetypes]=&kthx=search
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1270
[3] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4982
[4] -
http://www.osvdb.org/search/search?search[vuln_title]=clamav&search[text_type]=titles&search[refid]=&search[referencetypes]=&kthx=search

Speak Freely:
> Hi ZEROF,
> 
> I had fail2ban, harden (which includes tiger, tripwire, logcheck,
> plus MANY others), all the fancy log checkers, rkhunter and
> clamav, unattended-upgrades, and had all logs emailed to me on a
> daily basis. It was tedious to go through, but I was trying to do
> my due diligence.
> 
> I disabled root login, changed ssh port (security through obscurity
> - damn right, but I kept it in the privileged range.) 
> ------------------- Each password was a minimum of 32 characters,
> alphanumeric plus symbols. No two passwords were alike, or remotely
> similar. (No, I didn't use keys :@)
> 
> I checked "how secure is my password", and this is the result: It
> would take a desktop PC about 21 quattuordecillion years to crack
> your password
> 
> I had to look quattuordecillion up, as my spell checker doesn't
> know what it means. In the US, it means 1, followed up 45 zeros. 
> (In the UK it is 10^84, but I believe the website is American so
> I'm sticking with ^45) --------------- I disabled as many services
> as I could reasonably tolerate. I removed world rights to as much
> as I could think. I did everything I could think of to make each
> VPS effectively useless except for running a Tor relay.
> 
> My firewall matched my Reduced Exit Policy, plus my "secret" ssh
> port.
> 
> ---- I never thought about the honey-pot... That's a good one.
> 
> 
> Speak Freely _______________________________________________ 
> tor-relays mailing list tor-relays at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJU8IlxAAoJEFmpmcH7mQWjgVsH/Rrd5rYviojTYCIPJBG2jmGn
sCqCyWukF0qx2QLblebUKpQjJWYmqKfSDWrgdVkNfBqQrWicFHPOz9X4uzK32H5w
3tyLl7eRWO1zC5I+xrLp/nSlYpBT+adlefzhJfG6p6cnu25VGGwSN4k6amx63BPs
vtAGH50/skF9Oz99oSSSP/fTvUKwEobUyMWKoUvposL20E91tznPa62Xx79Idp7S
mYDZOK+llKoCQYuRrMtqkq0n9xnS4jik5FD6g4cWKhLNZxVN6wa+iY6DTPHNS/iJ
SOLcStQaBVuoQN4hhFB8VynReaT0EdjFpn1YXGNBruL92vZE6HjY9+66l3Dx5Rk=
=HU65
-----END PGP SIGNATURE-----