On Sun, Jun 15, 2014 at 7:31 AM, Alexander Fortin <alexander.for...@gmail.com> wrote: > > I’ve recently joined the Tor Project and I have been running a non exit relay > for a few days. > > I’m also a Puppet user and, more in general, I try to make deploying > applications > on the servers I administer as easy as possibile, Tor included. > > I think Tor documentation to install on a Debian server is quite good, but I > still prefer to > have Puppet doing that for me, and I’m quite sure every Puppet user out there > would think > the same.
Hey, thanks for doing this! I have kinda wanted to put something similar together for a while but haven't had the time. Here are some thoughts, in no particular order: Why do you disable directory mirroring? It's my understanding that this should basically always be on. It would be nice if exit-relay mode enabled an HTTP "exit notice" as described at https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment. Tor relays get pounded on by the script kiddies -- a degree of hardening is appropriate. I don't know if there are any stock Puppet "tighten security" modules but these are the things that I remember having done to mine. Note that my relays serve no other traffic and have no non-root user accounts; some of these configuration choices may be inappropriate for multi-use machines. - install fail2ban and ufw; firewall incoming traffic to ports other than 9001, 9030, and 22 (ssh) (I don't think the marginal benefit of moving ssh to a nonstandard port is worth the hassle). - sshd_config configuration tuning: beware that this will lock out any user account with no SSH authorized_keys! Protocol 2 UsePrivilegeSeparation yes PermitRootLogin without-password PasswordAuthentication no ChallengeResponseAuthenticatio n no HostbasedAuthentication no IgnoreRhosts yes StrictModes yes X11Forwarding no Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com - install logcheck and nullmailer; set /etc/nullmailer/adminaddr and /etc/nullmailer/remotes to values assigned in Puppet configuration; symlink /etc/nullmailer/helohost to /etc/hostname. (ufw and sshd will emit a great deal of chatter due to people knocking on the machine. I have custom ignore.d.server files to shut them up - basically I've set it to mail me only on *successful* logins. Let me know if you want 'em.) - install unattended-upgrades and configure it to auto-upgrade everything. Unfortunately, the unattended-upgrades documentation is at pains to avoid explaining how to do that; this is what I have in /etc/apt/apt.conf.d/50unattended-upgrades: Unattended-Upgrade::Origins-Pattern { "o=Debian,a=stable"; "o=Debian,a=stable-updates"; "o=TorProject,a=stable"; }; Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Mail "root" Unattended-Upgrade::MailOnlyOnError "true"; - I'd *like* to recommend pulling libssl from testing, but right now that also means upgrading libc, which seems unwise. - I'd also like to recommend a kernel enhanced-security module, but I was unable to get SELinux to the point where I could turn enforcement on without breaking boot (and when I finally gave up and purged it, the relay I was testing that on sped up by 15%!), AppArmor seems too half-assed to actually be worth it, and Debian doesn't have grsec kernel packages. zw _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays