[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Debian relay Puppet module



On 17. Juni 2014 at 23:56:43, Zack Weinberg (zackw@xxxxxxx) wrote:
> Why do you disable directory mirroring? It's my understanding that
> this should basically always be on.

Not sure why, I think at the beginning I wanted to use the âminimalâ config, and I didnât even now about directory services, but please keep in mind Iâm still missing the big Tor picture and many things are new to me
Thatâs actually one of the reasons for this thread: if you think such and such configuration should be defaulted, or available as a custom parameter, well, please say so :)

> It would be nice if exit-relay mode enabled an HTTP "exit notice" as
> described at https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment.

Point 4 says: "If you run your DirPort on port 80â. Should it be enabled only when DirPort = 80?

> Tor relays get pounded on by the script kiddies -- a degree of
> hardening is appropriate. I don't know if there are any stock Puppet
> "tighten security" modules but these are the things that I remember
> having done to mine. Note that my relays serve no other traffic and
> have no non-root user accounts; some of these configuration choices
> may be inappropriate for multi-use machines.

I donât know of any such âsecurity silver bullet moduleâ I am afraid :)

About the security enhancements, they are definitely interesting, but to me seems they are out of the scope of the âinstall relayâ Puppet module itself, and also against the usual modular approach of Puppet modules. First, my understanding is that having a node with only Tor running is suggested, but not mandatory, but in any case,Âthose enhancements are more suitable for a separate 'tor-securityâ like module that one may or may not be interested in.

--  
Alexander Fortin
http://about.me/alexanderfortin
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays