[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] doc/HARDENING Draft



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/24/2014 4:09 PM, Libertas wrote:
> I thought I'd share an initial draft of doc/HARDENING. Please
> share any opinions or contributions you have. This was written in a
> little more than an hour, so it's still a work in progress.
> However, in the spirit of prototyping before polishing, I thought
> I'd share early.

Thank you for sharing.

There may be mixed opinions about using a resource like this but the
NSA's Guide to the Secure Configuration of Red Hat enterprise Linux 5
[0] covers a great deal of areas that can apply to other distros. Much
of it appears to be included in the debian documentation (which I
believe the .pdf also references).

One might consider fwknop [1] to require single packet authentication
(SPA) before the target ssh port is opened for you and and only for a
few seconds. Sure, moving your ssh to a non-standard port makes for
clean logs but having the port closed to all unless validated through
SPA can present a significant hurdle for a more dedicated adversary.

I've heard of a lot of people using fail2ban but not csf [2] however
nobody has really weighed in on why. There are ways of integrating
fwknop with csf. I'd be happy to share more info by request.

Also let us not forget astandard access restriction layers like
tcpwrappers, and pam + /etc/security/access.conf for ssh.

[0] https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf
[1] https://www.cipherdyne.org/fwknop/
[2] http://configserver.com/cp/csf.html (http link because of invalid
ssl cert)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQIcBAEBAgAGBQJUdRSwAAoJEN+MkWRY9DUsNH4P/1qooQgSvFu0ppN5e9OJEt72
M0M1XylF+rlqMfMFBKkbH3ef6v7i3dnuSBeIPhAzGOajvL8P1ji0eMK/2O0Bwe1a
ufbzutcrc9UBgE1GOjlXIhTSoaQgG0KzNRrtbRzkTiBIGrAazpZZPR9sxbNmRQ9/
21mvbQ7hdqaq0g51/HCn88wJETYHzilPJ9u3BPNZ6knEMd3WeW0RDp5iaC0itw3s
NF7X4lQFP13WxQz8JLKBrvcMuZYRd5oz08VP+EhHjeTE9LkGsRve0gwk706tOrOl
yzdQQc6ftYyb3kQfvA65stYSSfB+/4EQVtz2vJGozeAz6HybSy5RAcw7zo39cOLA
VMsc78CVTDn7sQWLq6qAa5d0DEwQw/CXi70zMw/eBnn5vZ5DpIoAKguE/NHiY9yp
pENJMNcVA5Rs1byN2AoHq9y2UtNmADKK/V89NNtwj7zT4lv4YyA6h9p2BztQlXkm
jTm730h6wpdW35QchU/tsGypexxio4o1i+MitvIwqcp5SiaS+wJVgFjxQ9sZIos5
r8Hr/sZKva8i1CWRYhH+k/cXdp6/1ec1AD8AEDLQD2yMQvFpvZ0vdHKswuqkvZIu
VcKRcE5g9ux+BcmLDG27aeM96ltVFqRmkT0ZvMlLAuyhljio2wFWiKtWv7KYXUaD
XH/2lUc87Igpvs5EpNGT
=f1un
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays