[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Ports required for Tor and hidden services

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Ports required for Tor and hidden services
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Mon, 27 Jan 2020 18:17:11 -0700
Autocrypt: addr=mirimir@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsBNBFEN49cBCADWl1VZKYO8L+f/65G2nBWzh41VTAZDcJSxMWXrBSvpJzzLt6sJf0L0Rjmy W4VPxJMCm/32auRAp8Xx1iNmBpvYENSM1YJVWfk43tlSOY8CR3TVODMxWPhUu48Pb9OKSntz WHGwdZmOr14zF9vr4PaS9A6+Hyt9FPKuGcQFw7K8jK1Hpp5XgdY/DMHKeaJykJ8JH1HBTFTT OJdxIWu6cZ+spNaNfKdnNjk98hMPw69isVGzcm7b3lJUsjVnMSqnrtZ8CSIv1njyxJH7NB5n LzrE7EiXR37k+4Poc9/DeLSAKrq5N3ZMpX1EDOoXFa8lLVGWHBTwVN/tl7FLM0NmVuL5ABEB AAHNHG1pcmltaXIgPG1pcmltaXJAcmlzZXVwLm5ldD7CwIEEEwECACsCGyMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAAhkBBQJafNQ7BQkNMVdkAAoJEGINZVEXwuQ+5LoIAKyZQDkNqj+Y E26o1bdEQlmOLhhXev45euNCnaFrnbOyKLivHdF4vvXyWBTzJmCsoRxTJ0A3Zmwa3ZihbKaU FCAdRgspLfA+TGICVYOztB+faWV18k5OTCk7ZiBQ/mOMQA4p3RPOV+UCgdelvZRHrFdUgHro dho/FqZhRoPdsPPB08QBisDO7SfFMMe9U9EZ03n4f2TvMgaTjK/kZCopwgLj2nB11SnCYfWJ jxUFDs+VFObf/jSK8T0SX9O6p430NWZm30vutUVac9lfodMjBcJqTnFxmZrwQomlCYGvSqNw 4Xy5+/gBzv/flXHngQSU053smHRtrMlGK5OU1RSixDfOwE0EUQ3j1wEIAMDcexhcaIO5jpl+ SHM14zuBvF2QG61IpH4Lag6nQmSMTljizuJg2kLaLbfc69AxmjuL5obqYi5ywXn4kQKqiwfa OHvVlKn662/J5YgXuc8tRLyqvgb+hibtAnlhWAuusP0eoQQP6SAASRjtrb8RVapTzJXy2Snf PtkcdtkTLLLcyeGoDOkpPkspnnp8avvI9ayzhGFLg9qNWaIuBMudxT6oHK4rZH+Sv6km9viI /ziV6E8Z+PpvMsGdebeYBLQA7ueuTbyOGbDyProwvocrKynI/UM40VYS8bS1PjWtljUlj7Vx 8C/746hnfdge0m24jnaWfu5UDjwpsHzs/JXqklsAEQEAAcLAZQQYAQIADwIbDAUCWnzURgUJ DTFXbwAKCRBiDWVRF8LkPsCjCACNvnnmpcDwEbtXUFZD/+ewNlPfM9o0mIXgi7DIVR9MVCw/ u14+mJUlQny4jPRV+hv/erjbiqEcVPZ296J3I4kUvO4slI+ZyODsRQSzwMz6ihwC6nN1xove YSBzVKKQrV+FDHVk6dJVLtgPdewOR9ZAar7mEbCLTJZ/e5aVb+NrlC1jWx3V3mMGCKOsEHhu 97cu3AswlxhzqPjczTo3rjtcfxdjeGU6mIEEAlhUlVDdfbGLODIyCXrP39zYxYXFFpVcbGAu +cndl1AQkIXUiMoJuzTMU8TQ+zz8yLof9fB7Y8O8VbmZBPQqN2IiHPeGbfqZjk/uHjJQUayI +beL0kxL
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 27 Jan 2020 20:17:30 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1580174236; bh=CYMGZBHRAz/BTMxcqyiLXLJkb3vVG45Gmi7WVfSrdFg=; h=Subject:To:References:From:Date:In-Reply-To:From; b=noicE/+CDrznNlDHOMpIziFbJrTbHvPgFocHrQoUXrW7VSfexCtAq9mOtrL1/ItE1 hVBInyOp7Jr4rb3FQK2brokpS0CZibFdCe+X7eLtKu2VclhMcQgGJE5ir8B5GqqpF6 +oVhZdZw3nh2zWNdb2njD1tU5/nWuPHn41WL1CKI=
In-reply-to: <5E2E7AD4.4010706@copper.net>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <192279a3245791e32d54d711e933483d@waifu.club> <87muael7d3.fsf@riseup.net> <c7aa208378e43ee6790a4db3c8788f93@waifu.club> <20200124141907.GA15263@inner.h.apk.li> <b38c79d060288065d6b1451f23a10de7@waifu.club> <5E2E7AD4.4010706@copper.net>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 01/26/2020 10:53 PM, Jim wrote:
> Forst wrote:
>> In that case, what would be best approach to achieve that all traffic
>> is forced though Tor and direct internet connection blocked,
>> preferably even if/when the system is breached?
> 
> Roger gave a good reply for the case where the system is not breached.
> But if your firewall is on the same system as the hidden service and an
> attacker gets root then nothing can save you since the attacker could
> alter the firewall at will.  The only exception I can think of is
> SELinux *might* provide a mechanism to prevent this but I am not
> familiar with it.
> 
> Jim

If you're that paranoid, you can use the Whonix model. Basically, run
the Tor process and firewall on one machine, with requisite ports
exposed on an isolated LAN. And run the web server on another machine,
connected via that LAN. So nothing on that machine can see the Internet,
except through Tor.

If you control physical access, it's most secure for those to be
separate hardware. Otherwise, you can use KVM VMs. You can even run KVM
VMs on some KVM VPS, although it's a little sluggish.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Ports required for Tor and hidden services
  - From: Forst
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: George Kadianakis
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: Forst
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: Andreas Krey
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: Forst
- Re: [tor-talk] Ports required for Tor and hidden services
  - From: Jim

Prev by Author: [tor-talk] Are "StrictNodes 1" actually strict?
Next by Author: [tor-talk] restricting output to the tor process, when using Tor browser
Previous by thread: Re: [tor-talk] Ports required for Tor and hidden services
Next by thread: Re: [tor-talk] Ports required for Tor and hidden services
Index(es):
- Author
- Thread