[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13703 [Tor]: Adding doc/HARDENING



#13703: Adding doc/HARDENING
-------------------------+-------------------------------------------------
     Reporter:  mmcc     |      Owner:
         Type:           |     Status:  new
  enhancement            |  Milestone:  Tor: 0.2.???
     Priority:  normal   |    Version:  Tor: unspecified
    Component:  Tor      |   Keywords:  hardening, security, opsec, docs
   Resolution:           |  026-deferrable lorax
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by starlight):

 Here's an idea for the advanced/intense subset of hardening.
 Unrealistic to expect everyone to do this but it ought to be
 listed as an option to remind those who are able and inclined.
 This type of hardening might especially be applied to servers
 running hidden services.

 When a tor relay will run on dedicated hardware in a colocation
 facility (or perhaps even in one's basement), one should

 a) apply strong passwords to both admin and user BIOS access
 b) apply strong passwords to the IPMI/BMC
 c) minimize IPMI/BMC features, especially disabling HTTP, HTTPS,
 telnet, etc management in favor of SSH and IPMI protocol
 d) enable chassis intrusion detection, configure an alarm if possible
 possibly have the system wipe memory and power down immediately
 e) if possible, disable chassis-external USB ports in the BIOS
 f) alternately, disconnect mainboard-to-chassis USB cables
 perhaps cut USB port leads where USB connectors mounted
 on mainboard
 g) severely restrict USB hotplug devices via 'udev' rules
 h) set /proc/sys/kernel/modules_disabled after reboots complete
 (make sure all required modules are loaded first)
 i) likewise, disable any other transports such as Firewire

 The essential idea here is hardening against a variety of
 physical proximity attacks.  I'm sure more possibilities
 exist here, but this is what came off the top of my head.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13703#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs