[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Relay operators: help improve this hardening document?



Hi,

Many of you are advanced *nix users. Some of us aren't. So first I'd like to thank mmcc for writing the document.

I've spent weeks bungling around trying to figure out how to manage my several exit relays in the most responsible manner..

I've managed to create a reasonably interesting install and setup script to deal with the initial configuration, locking down certain things - the most basic of OPSEC.

I'm not an expert. I've been biding my time, learning as much as I can when I can. But I have a full time job, and a pregnant wife!

Iptables is an advanced firewall. Iptables is a pain in the ass for new users to expertly configure. Basic settings aren't difficult, but I don't want basic. I've given up trying to manually write Iptables settings because I never left secure enough (due to my ignorance). For now I use ufw; open specific ports to tcp traffic, and default deny - and I'm not happy about it. I would love a detailed example of iptables rules for reduced exit relays, and middle relays - because no I don't fully understand the ins and outs of every possible scenario. A half ass firewall is barely any better than no firewall, in my opinion. I want to *know* what I tell iptables to do, and not rely on ufw to take care of me. I don't want to believe I've setup a good firewall, I want to KNOW I've setup the strongest I can!

I want to know Tor Best OPSEC Practices, because generic *nix Best Practices don't always match, and the considerations *are* different. I want to know what services I can disable in Debian, specific to Tor, because I don't know the linux subsystem well enough.

I want to make sure my relays are the best I can make them, the most secure I can make them, to ensure I provide the community the best I can. But I'm not an expert - barely a novice. I'm a guy with a heart that believes in free speech and privacy. I'm not a security guru (yet...).

My personal opinion is the Tor community should be a champion of OPSEC period, for everyone. But that is me. Anonymity, privacy, and security go hand in hand. The Tor community has some real experts in this field, and a little contribution would do a world of help. Yes, links to well written articles is perfectly adequate - you don't need to re-invent the wheel, but a central source of awesome material would be fantastic! Both for end-users, and relay operators!

And besides, who doesn't like a good community derived checklist to ensure relative consistency between relay configurations? :)

None of this constitutes "general computer training." The issues, though many, are quite specific.

Please remember, we're all trying to do the best we can - but we're not all at your level. Some of us are quite busy in real life, and don't have the time to learn EVERYTHING, though I admit that begrudgingly. Being an autodidact it is incredibly frustrating that I don't know everything about a topic that interests me.

My 2 cents. This email was intended to be short, but it blew up. So, I apologize.



Kind regards,

Matt
Speak Freely

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays