[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Relay operators: help improve this hardening document?
Hi,
Many of you are advanced *nix users. Some of us aren't. So first I'd
like to thank mmcc for writing the document.
I've spent weeks bungling around trying to figure out how to manage my
several exit relays in the most responsible manner..
I've managed to create a reasonably interesting install and setup script
to deal with the initial configuration, locking down certain things -
the most basic of OPSEC.
I'm not an expert. I've been biding my time, learning as much as I can
when I can. But I have a full time job, and a pregnant wife!
Iptables is an advanced firewall. Iptables is a pain in the ass for new
users to expertly configure. Basic settings aren't difficult, but I
don't want basic. I've given up trying to manually write Iptables
settings because I never left secure enough (due to my ignorance). For
now I use ufw; open specific ports to tcp traffic, and default deny -
and I'm not happy about it.
I would love a detailed example of iptables rules for reduced exit
relays, and middle relays - because no I don't fully understand the ins
and outs of every possible scenario. A half ass firewall is barely any
better than no firewall, in my opinion.
I want to *know* what I tell iptables to do, and not rely on ufw to take
care of me. I don't want to believe I've setup a good firewall, I want
to KNOW I've setup the strongest I can!
I want to know Tor Best OPSEC Practices, because generic *nix Best
Practices don't always match, and the considerations *are* different. I
want to know what services I can disable in Debian, specific to Tor,
because I don't know the linux subsystem well enough.
I want to make sure my relays are the best I can make them, the most
secure I can make them, to ensure I provide the community the best I
can. But I'm not an expert - barely a novice. I'm a guy with a heart
that believes in free speech and privacy. I'm not a security guru
(yet...).
My personal opinion is the Tor community should be a champion of OPSEC
period, for everyone. But that is me. Anonymity, privacy, and security
go hand in hand. The Tor community has some real experts in this field,
and a little contribution would do a world of help. Yes, links to well
written articles is perfectly adequate - you don't need to re-invent the
wheel, but a central source of awesome material would be fantastic! Both
for end-users, and relay operators!
And besides, who doesn't like a good community derived checklist to
ensure relative consistency between relay configurations? :)
None of this constitutes "general computer training." The issues, though
many, are quite specific.
Please remember, we're all trying to do the best we can - but we're not
all at your level. Some of us are quite busy in real life, and don't
have the time to learn EVERYTHING, though I admit that begrudgingly.
Being an autodidact it is incredibly frustrating that I don't know
everything about a topic that interests me.
My 2 cents. This email was intended to be short, but it blew up. So, I
apologize.
Kind regards,
Matt
Speak Freely
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays