[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Debian relay Puppet module
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 06/17/2014 02:09 PM, Zack Weinberg wrote:
> Tor relays get pounded on by the script kiddies -- a degree of
> hardening is appropriate. I don't know if there are any stock
> Puppet "tighten security" modules but these are the things that I
> remember
I don't have any Puppet modules or Chef recipes, but I do have a Git
repo of some basic hardened Ubuntu config files (v12.04 and v14.04)
that might be a good place to start:
https://github.com/virtadpt/ubuntu-hardening
> - install fail2ban and ufw; firewall incoming traffic to ports
> other than 9001, 9030, and 22 (ssh) (I don't think the marginal
> benefit of moving ssh to a nonstandard port is worth the hassle).
I do both on some of my machines and it's helped a lot. It definitely
cut down on the "portscan the box, resume pounding on SSH like
woodpeckers on meth."
> - install logcheck and nullmailer; set /etc/nullmailer/adminaddr
> and /etc/nullmailer/remotes to values assigned in Puppet
> configuration; symlink /etc/nullmailer/helohost to /etc/hostname.
> (ufw and sshd will emit a great deal of chatter due to people
> knocking on the machine. I have custom ignore.d.server files to
> shut them up - basically I've set it to mail me only on
> *successful* logins. Let me know if you want 'em.)
I'm curious; never used nullmailer before though I do use logcheck
pretty heavily.
> - install unattended-upgrades and configure it to auto-upgrade
> everything. Unfortunately, the unattended-upgrades documentation
> is at pains to avoid explaining how to do that; this is what I have
> in
`sudo dpkg-reconfigure -plow unattended-upgrades`
- --
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/
Sometimes the only thing more dangerous than a question is an answer.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJTohRaAAoJED1np1pUQ8RksAEP/i+6F5xN7c5igxBauTVO8wQ9
sDh6R3RHjWZeKDLbFruM4JuEE/GpV9HrugNelx7rkE3XxXw/yeanExlrFKh045sw
jU1PiHYbSx0kpSi3BBWpf3ty2abUf8dPA0iMX+/S+cfG3XKw2/Aq4FRqjZ1OanXV
GMbn2y75dEDihD8EcFaWhYBaWWZH4un2mMpf++lrUGaAdszD954/gSytFcZva/5E
q/aZm+cumOtBrxq/XpokxlPgLtXau2q51RD/8J0PFTIHbC8jyXpnIrug5jxN9K9a
kyZg1Qkfqqr9Q05U4sMeiAwDxeRQH2plpc/AloDXtcgxPTu932GhXcnYDY9e7wY4
WWEvGDZdaG2Kzm4XBote/vd6YcpCwNNC8bO3NdGCkEZPfEO9jsYXVtsNH0RdbT6s
ZaNVO1hIeBxmPlNa1PlKoHY8pq3rfL7qn4OcZN2u7dc+ciu31Ccr8q0KSgOL5JTR
DiLygwQQ72akU8CUjdkHhcNEO1CHL3htq0wglXeg4bw+K547oWJkWrsPkEanVuEq
p5P0Dt1Mk6lktwmm93Rxpx2LBuAxlE11BSn+1zYx2JhguWBinIhKF9445x77g0xJ
dic3EZUR+ds7n4/OjPk+9xtGw/vKlm12X4/8r94VlqRcoubRnAQFlKkNyZ0ABmYX
bmsGL/zY2yoTanTu9b+K
=DBov
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays