[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #13703 [Tor]: Adding doc/HARDENING
#13703: Adding doc/HARDENING
-------------------------+-------------------------------------------------
Reporter: mmcc | Owner:
Type: | Status: new
enhancement | Milestone: Tor: 0.2.???
Priority: normal | Version: Tor: unspecified
Component: Tor | Keywords: hardening, security, opsec, docs
Resolution: | 026-deferrable lorax
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by starlight):
Here's an idea for the advanced/intense subset of hardening.
Unrealistic to expect everyone to do this but it ought to be
listed as an option to remind those who are able and inclined.
This type of hardening might especially be applied to servers
running hidden services.
When a tor relay will run on dedicated hardware in a colocation
facility (or perhaps even in one's basement), one should
a) apply strong passwords to both admin and user BIOS access
b) apply strong passwords to the IPMI/BMC
c) minimize IPMI/BMC features, especially disabling HTTP, HTTPS,
telnet, etc management in favor of SSH and IPMI protocol
d) enable chassis intrusion detection, configure an alarm if possible
possibly have the system wipe memory and power down immediately
e) if possible, disable chassis-external USB ports in the BIOS
f) alternately, disconnect mainboard-to-chassis USB cables
perhaps cut USB port leads where USB connectors mounted
on mainboard
g) severely restrict USB hotplug devices via 'udev' rules
h) set /proc/sys/kernel/modules_disabled after reboots complete
(make sure all required modules are loaded first)
i) likewise, disable any other transports such as Firewire
The essential idea here is hardening against a variety of
physical proximity attacks. I'm sure more possibilities
exist here, but this is what came off the top of my head.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13703#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs