WARNING: this is a work-in-progress page (2018-08-05)
Relay Security
As relays are such crucial aspects of the Tor network, it is paramount that they stay safe from the many physical and digital threats that exist in the world. Below is a guide that outlines some suggestions and additional steps that can be performed to increase the security posture of your relays.
Using a dedicated system
It is highly recommended that operators set up their relays on specifically purposed systems. This will ensure that their personal files are secure as well as creating a smaller attack surface by minimising running services and software. This can be performed a few different ways:
Setting up a hypervisor on your local OS
This method allows you to run your relay on a dedicated OS within your existing operating system. It can be performed using software such as KVM or VirtualBox, or by using a hypervisor-based operating system such as Qubes. Please note that depending on your software of choice this will at the least require a multi-core processor, and at most a GPU that supports virtualisation.
Using a spare laptop or tower
This method is likely the simplest if you have spare hardware. As Tor requires little resources and can function on headless machines, just about any older system that a user has laying around or that can be picked up at a used computer store will be sufficient to handle a dedicated OS for relaying.
Using a VPS hosting service
Users can rent VPS (or 'virtual private server') from a hosting company, which will allow them to set up a dedicated relay or exit. Many hosts will not object to middle relays operating on their networks; exit nodes are a much different story. Refer to doc/GoodBadISPs to find a list of friendly hosts if you are unsure where to begin.
Hardening your OS
Encrypting storage and swap space
Typically in GNU/Linux and *BSD, system encryption occurs during the installation process and is often quite simple to perform. If you are unsure how to do this, refer to the installation guide of your chosen operating system. For MacOS and Windows users, this can be done in the system settings.
Restricting SSH access
Head to etc/ssh/ssh_config in your favourite text editor with root privileges and add the following lines:
PermitRootLogin no
StrictModes yes
MaxAuthTries 2Then restart SSH.
These additions will disallow any connections via SSH to the systems root account (note that sudoers will not be effected) as well as limits the amount of login attempts can be performed before being denied.
Tor-only firewalling with iptables
(Note: If you are using SSH, these commands will kick you off immediately!).
In order for these to work, you must ensure the --uid-owner option is followed by the Tor user account on your system. This user is debian-tor in both Debian and Ubuntu, Gentoo uses just tor, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command cat /etc/passwd.
As root, enter:
$ iptables -F OUTPUT
$ iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
$ iptables -A OUTPUT -j ACCEPT -o lo
$ iptables -P OUTPUT DROP
$ iptables -L -vThe last command will display the number of packets that have been allowed through per rule or else dropped.
The line containing iptables -A OUTPUT -j ACCEPT -o lo is used to allow traffic over the loopback device and is safe.
Eliminating unneeded accounts and services
Ensure that your Tor server is not running any unnecessary services. Most out-of-the-box operating systems come prepackaged with extraneous services running by default. It is advised to turn them off, and remove any that are unneeded. Ideally your relay will run on a dedicated machine with no user accounts or services other than Tor itself.
If you must run other services, lock them down to the extent possible. An example of this is the SSH and firewalling instructions above.
Physical security
Secure location
Make sure that the machine running your Tor relay is physically secure. If it is in a cabinet or rack in a co-location facility, make sure the doors are locked and there is proper access priviledge measures in place. If it is in a room in your office or home, make sure it is behind a locked door. Remember that if you host your relay externally that you are trusting the host themselves to perform proper security procedures.
Additionally, make sure your backup media is physically secure. For example, you might keep backup tapes and cryptographic keys in a safety deposit box at your bank.
Coldboot attacks
Keep in mind that DDR memory chips can retain its contents for one or two minutes if they are frozen immediately after powering off - in cryptography, this is referred to as a cold boot attack. The easiest solution is to wipe system memory during shutdown to avoid revealing passwords that are stored in plain text. You can also prevent the attacker from being able to boot quickly to a machine by locking USB ports and removing the CD/DVD drive.