[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] hardening a tor relay

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] hardening a tor relay
From: Morgan Smith <tor-exit0@xxxxxxxxxxxxxxx>
Date: Thu, 22 May 2014 10:08:29 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 22 May 2014 12:12:13 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=intersafeit.com; s=default; t=1400774910; bh=H93SpMPLeU0hxwUbXgSqgrE4CeLROdqA6EDaeYciZmY=; h=Date:From:To:Subject:References:In-Reply-To:From; b=PaH88UPz2CNxWBeVJPza8fg2JJoFSbpoV6CvP88pVeRevvFPt3b7RCdnklkfexNJ0 zKzOdIMH2PiKqa+7yBEDbvBzcBeUAGOwQj3KuEwciAUXmmotAgMpy9TLyncq7QiJ/O qOJJ0J+BJaOI7DnjDL7NrBDZL3uCoFOPhA2SIr5o=
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=intersafeit.com; s=default; t=1400774910; bh=H93SpMPLeU0hxwUbXgSqgrE4CeLROdqA6EDaeYciZmY=; h=Date:From:To:Subject:References:In-Reply-To:From; b=PaH88UPz2CNxWBeVJPza8fg2JJoFSbpoV6CvP88pVeRevvFPt3b7RCdnklkfexNJ0 zKzOdIMH2PiKqa+7yBEDbvBzcBeUAGOwQj3KuEwciAUXmmotAgMpy9TLyncq7QiJ/O qOJJ0J+BJaOI7DnjDL7NrBDZL3uCoFOPhA2SIr5o=
In-reply-to: <537D5507.9010908@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <1400718225.40138.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <537D5507.9010908@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

On 5/21/2014 7:38 PM, Moritz Bartl wrote:
> The problem with selective filters for outgoing traffic is that Tor
> needs to be able to connect to all other Tor relays, some of which use
> non-standard ports. 

One could add a rule to the OUTPUT chain that allows all traffic from
the tor user (or uid). This allows one to maintain non-tor related
outbound rules without interfering with tor itself. On a hypothetical
system where the uid under which tor runs is 501 an iptables rule like
this should work:

iptables -I OUTPUT -p tcp -m owner --uid-owner 501 -j ACCEPT

One resource for ideas on how to harden a system is the NSA. I for one
have referenced these two docs on more than one occasion (clearnet
links) and they can be adopted conceptually into many other distros:

http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf

-- 
Morgan Smith | IntersafeIT
Phone/Fax: +1 (888) 623-7444
morgan@xxxxxxxxxxxxxxx
www.intersafeit.com   | intersafewhe4eoy.onion
Twitter: @IntersafeIT | GnuPG ID: 9CDD26C7

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] hardening a tor relay
  - From: Contra Band
- Re: [tor-relays] hardening a tor relay
  - From: Moritz Bartl

Prev by Author: Re: [tor-relays] DigitalOcean starting Exit node crackdown
Next by Author: Re: [tor-relays] How to handle an abuse report
Previous by thread: Re: [tor-relays] hardening a tor relay
Next by thread: Re: [tor-relays] hardening a tor relay
Index(es):
- Author
- Thread