[tor-talk] Automatic vulnerability scanning of Tor Network?

Tue Dec 20 22:07:18 UTC 2011

On 12/20/11 8:06 PM, Nick Mathewson wrote:
> On Tue, Dec 20, 2011 at 1:35 PM, Fabio Pietrosanti (naif)
> <lists at infosecurity.ch> wrote:
> 
>>> Absolutely brilliant.  Someone donates to your cause and, if they
>>> don't come up to your standards, you do your best to ensure they get
>>> pwned instead of just dropping them from the donor list.
>>
>> If you want to participate to the Tor Network you must responsible, that
>> means also keeping your system secure.
> 
> When I read Lee's above paragraph, I worry Lee might have gotten the
> idea that Fabio is speaking for Tor in some official capacity.  So:
> Please be aware that Fabio is speaking for himself, and does not speak
> on behalf of the Tor Project.
> 
> For my own part, I am perfectly fine with the idea of working *with*
> server operators to help them secure their systems, and with making
> sure that only secure systems are on the network.  But efforts in this
> area need to work with the foreknowledge and consent of node
> operators, and not alienate our volunteer community.  Also, the
> appropriate response to horribly insecure servers on the network would
> be to inform the operators and de-list the servers if they didn't get
> fixed--not to publicly post them but leave them on the network.  That
> would be the worst of all worlds.

Well it sounds reasonable not to publish the results.

At the same time having a Metasploit auto-pown module that try to
exploit the machine to trigger automatic-update would also be a cool
idea! (i'm joking :P).

I mean, it doesn't sounds to me a so strong "tabu'" to portscan all the
Tor servers.

I agree that's a problem when portscan get out from your tor exit node
and you got a server-takedown from the isp (it happened to me!).

But don't see big problem in receiving a portscan / app fingerprinting /
vulnerability scanning on my node (as long as it doesn't effectively
impact the performance of my node), if this could be helpful in letting
eventually unsecure nodes to get notice about their vulnerabilities.

It would be also nice for example to create a sort of "Best Practice"
for the Firewall ports that a Tor Exit node can have opened respect to
the world (other than Tor-related ports).

For example, in the nmap output of portscan of all tor exit, there are
hosts on the internet with Unix RPC services, Microsoft SMB, SQL Server,
Mysql, etc.

If you would setup and manage a networks (of routers), would you want
your to run SQL Servers or NFS on your routers?

Probably you would like to have your routers very well hardened, doing
their routing job and eventually few other facilities that cannot impact
the main functionality security and stability.

Also i understand that a lot of people would run Tor on the server they
have, doing "multi-purposes" activities, and that's good.
But i also understand that if we would analytically see different risks
context and the likelihood of a compromission of a Tor router, we would
agree that servers with a lot of internet-exposed services are more at risk.

It would be very cool if all Tor Routers would portscan each others and,
depending on the amount of non-tor related port open, would provide a
"security rating".

The security rating could also be measured depending on the version of
Tor used, if it's up-to-date and there are no "security bugs" in the
running version.

That way the would be some objective evaluation, following a compliance
with a "Best Practice", of which is a Secure Tor Router and which one is
not.

A user may decide to only use as entry and exit-nodes, tor routers that
have a high "security rating" level.

However those are just a set of sparse ideas by writing while thinking.

-naif