Re: [tor-relays] hardening a tor relay

Nice thread. in my case (tor exit node):

Output only security connections;

ExitPolicy accept *:22
ExitPolicy accept *:443
ExitPolicy accept *:465
ExitPolicy accept *:995
ExitPolicy accept *:993
ExitPolicy reject *:*

Block all output like http and smtp in my netfilter (Gnu Linux);

-A OUTPUT -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -p tcp -m tcp --dport 110 -j DROP
etc ..

I had problems with portscan originated in my output. Even without ExitPolicy accept

EX:

Dear Sir/Madam,

We have detected abuse from the IP address MYIPADDRESS, which according to a whois lookup is on your network. We would appreciate if you would investigate your logs and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)

Regards,

Critical Path, Inc.

Note: Local timezone is +0000 (GMT)
Jan 15 16:03:00 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:07 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:11 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:14 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:17 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:18 65.20.0.47 pop3: Failed password from MYIPADDRESS
******************************

------------------------- END ------------------------------------

to keep me in a comfort zone, I installed OSSEC. OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

example of my latest incidents:

OSSEC HIDS Notification.
2014 May 23 11:45:44

Received From: darkstar->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

May 23 12:45:44 darkstar kernel: tor: page allocation failure. order:0, mode:0x20

Â--END OF NOTIFICATION

'm Slowly creating rules (regular expressions) to OSSEC for the Tor message and treating facilities.

On Thu, May 22, 2014 at 2:31 PM, Paul Staroch <paulchen@xxxxxxxxxx> wrote:

Am 2014-05-22 02:23, schrieb Contra Band:
> # Allow incoming 9050
> iptables -A INPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j ACCEPT
>
> # Allow outgoing 9050
> iptables -A OUTPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j ACCEPT
>
> # Allow incoming 9051
> iptables -A INPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j ACCEPT
>
> # Allow outgoing 9051
> iptables -A OUTPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j ACCEPT

Do you actually need remote access to ports 9050 (Socks proxy) and 9051 (control port)? By default, Tor opens these ports on the loopback interface only.

Paul

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Noilson Caio Teixeira de AraÃjo
https://ncaio.wordpress .com
https://br.linkedin.com/in/ncaio

https://twitter.com/noilsoncaio