[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Debian relay Puppet module

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Debian relay Puppet module
From: Alexander Fortin <alexander.fortin@xxxxxxxxx>
Date: Wed, 18 Jun 2014 09:01:27 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 18 Jun 2014 03:01:41 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:message-id:in-reply-to:references:subject:mime-version :content-type:content-transfer-encoding:content-disposition; bh=wOOSbxid/a39eBgXauaTH70kcE9ZbBoqpZt6U3Rzdec=; b=CGrowY3DVqdQ0/Wz4XrAFHNxsEE9wLY9qq+kP0Rw1u3OR0LwjMi0m0Ii7vD2aZNrOG gt0xMBPnSx3fZvUW1ZXLOt9KzqmxdWkc5IxgzVHTtihmPs+9vhfIeugjyvfQ4l5Np0R3 rkOweEwzaTu0+dnBPSo76C5PQMk8VZi72W0Aw02juoiHD8by9XTFb7NdUtBZd1Xm4Gxo IQLxOlZvFrLeLgzCfediU61sSNSuiH/3NFZ/2IJSxlIqcIrGjG8kJuCX+d6FXOfnLhsL oL8snhVaJ3Hk11aUFp6HDcu824Da86zgfClHhNqrlsBfuAlw8eegzNqTBjL96hfS+ROJ D+Eg==
In-reply-to: <CAKCAbMhwiAEuALOB2wcCZSvd9R8voQo-rwWnjWTTP3Z=waBf-A@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <etPan.539d842b.643c9869.181@xxxxxxxxxxxxx> <CAKCAbMhwiAEuALOB2wcCZSvd9R8voQo-rwWnjWTTP3Z=waBf-A@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 17. Juni 2014 at 23:56:43, Zack Weinberg (zackw@xxxxxxx) wrote:
> Why do you disable directory mirroring? It's my understanding that
> this should basically always be on.

Not sure why, I think at the beginning I wanted to use the âminimalâ config, and I didnât even now about directory services, but please keep in mind Iâm still missing the big Tor picture and many things are new to me
Thatâs actually one of the reasons for this thread: if you think such and such configuration should be defaulted, or available as a custom parameter, well, please say so :)

> It would be nice if exit-relay mode enabled an HTTP "exit notice" as
> described at https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment.

Point 4 says: "If you run your DirPort on port 80â. Should it be enabled only when DirPort = 80?

> Tor relays get pounded on by the script kiddies -- a degree of
> hardening is appropriate. I don't know if there are any stock Puppet
> "tighten security" modules but these are the things that I remember
> having done to mine. Note that my relays serve no other traffic and
> have no non-root user accounts; some of these configuration choices
> may be inappropriate for multi-use machines.

I donât know of any such âsecurity silver bullet moduleâ I am afraid :)

About the security enhancements, they are definitely interesting, but to me seems they are out of the scope of the âinstall relayâ Puppet module itself, and also against the usual modular approach of Puppet modules. First, my understanding is that having a node with only Tor running is suggested, but not mandatory, but in any case,Âthose enhancements are more suitable for a separate 'tor-securityâ like module that one may or may not be interested in.

--  
Alexander Fortin
http://about.me/alexanderfortin
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Debian relay Puppet module
  - From: Zack Weinberg

References:
- [tor-relays] Debian relay Puppet module
  - From: Alexander Fortin
- Re: [tor-relays] Debian relay Puppet module
  - From: Zack Weinberg

Prev by Author: Re: [tor-relays] Operating system diversity?
Next by Author: Re: [tor-relays] Debian relay Puppet module
Previous by thread: Re: [tor-relays] Debian relay Puppet module
Next by thread: Re: [tor-relays] Debian relay Puppet module
Index(es):
- Author
- Thread