|
[[TOC]]
|
|
|
|
|
|
|
|
**Warning: This page contains outdated information and has not been maintained in the recent past.**
|
|
**Warning: This page contains outdated information and has not been maintained in the recent past.**
|
|
|
|
|
|
= How to Run a Secure Tor Server =
|
|
# How to Run a Secure Tor Server
|
|
== Encrypt Storage and Swap Space ==
|
|
## Encrypt Storage and Swap Space
|
|
Make sure that any sensitive files are stored on an encrypted filesystem and that file permissions are set correctly. With a Tor server, the only sensitive information is the server's private key (located in /usr/local/etc/tor/keys on Unix/Linux platforms; readable only by owner).
|
|
Make sure that any sensitive files are stored on an encrypted filesystem and that file permissions are set correctly. With a Tor server, the only sensitive information is the server's private key (located in /usr/local/etc/tor/keys on Unix/Linux platforms; readable only by owner).
|
|
|
|
|
|
Additionally, swap space on the machine should be encrypted if your operating system has such an option. On some operating systems, it is possible to have swap space be a file on an encrypted filesystem.
|
|
Additionally, swap space on the machine should be encrypted if your operating system has such an option. On some operating systems, it is possible to have swap space be a file on an encrypted filesystem.
|
|
|
|
|
|
'''Linux'''
|
|
**Linux**
|
|
|
|
|
|
~~'''2.6+ kernels''' ~~
|
|
~~**2.6+ kernels** ~~
|
|
|
|
|
|
Note: The instructions below reference Linux 2.6. As of March 2018, you the minimum version of Linux which still receives security updates is 3.2 and the current version is 4.15. These instructions may or may not still apply to present day Debian systems. Please do not run a Tor relay on Linux 2.6 or any other EOL'd kernel!
|
|
Note: The instructions below reference Linux 2.6. As of March 2018, you the minimum version of Linux which still receives security updates is 3.2 and the current version is 4.15. These instructions may or may not still apply to present day Debian systems. Please do not run a Tor relay on Linux 2.6 or any other EOL'd kernel!
|
|
|
|
|
|
FIXME: could someone confirm that these instructions are still correct?
|
|
FIXME: could someone confirm that these instructions are still correct?
|
|
|
|
|
|
On Debian, running at least a 2.6.4 kernel, you can encrypt swap using the [https://packages.debian.org/search?keywords=cryptsetup cryptsetup] package.
|
|
On Debian, running at least a 2.6.4 kernel, you can encrypt swap using the [cryptsetup](https://packages.debian.org/search?keywords=cryptsetup) package.
|
|
|
|
|
|
Install cryptsetup:
|
|
Install cryptsetup:
|
|
{{{
|
|
```
|
|
apt-get install cryptsetup
|
|
apt-get install cryptsetup
|
|
}}}
|
|
```
|
|
|
|
|
|
Assuming your swap partition is **/dev/xvdb**, first you need to disable swap and zero out the partition:
|
|
Assuming your swap partition is **/dev/xvdb**, first you need to disable swap and zero out the partition:
|
|
{{{
|
|
```
|
|
swapoff /dev/xvdb
|
|
swapoff /dev/xvdb
|
|
dd if=/dev/zero of=/dev/xvdb
|
|
dd if=/dev/zero of=/dev/xvdb
|
|
}}}
|
|
```
|
|
|
|
|
|
Add the following to /etc/crypttab:
|
|
Add the following to /etc/crypttab:
|
|
{{{
|
|
```
|
|
swap /dev/xvdb /dev/random swap
|
|
swap /dev/xvdb /dev/random swap
|
|
}}}
|
|
```
|
|
|
|
|
|
Activate the mapping:
|
|
Activate the mapping:
|
|
{{{
|
|
```
|
|
service cryptdisks restart
|
|
service cryptdisks restart
|
|
}}}
|
|
```
|
|
|
|
|
|
Update your swap's /etc/fstab entry to point to the encrypted swap device:
|
|
Update your swap's /etc/fstab entry to point to the encrypted swap device:
|
|
{{{
|
|
```
|
|
/dev/mapper/swap none swap defaults 0 0
|
|
/dev/mapper/swap none swap defaults 0 0
|
|
}}}
|
|
```
|
|
|
|
|
|
Activate your encrypted swap:
|
|
Activate your encrypted swap:
|
|
{{{
|
|
```
|
|
swapon /dev/xvdb
|
|
swapon /dev/xvdb
|
|
}}}
|
|
```
|
|
|
|
|
|
'''FreeBSD'''
|
|
**FreeBSD**
|
|
|
|
|
|
Swap encryption has been possible with FreeBSD since 5.3-RELEASE.
|
|
Swap encryption has been possible with FreeBSD since 5.3-RELEASE.
|
|
|
|
|
|
Information on how to configure it can be found in the FreeBSD handbook: [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html Encrypting Swap Space with FreeBSD]
|
|
Information on how to configure it can be found in the FreeBSD handbook: [Encrypting Swap Space with FreeBSD](http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html)
|
|
|
|
|
|
Information on how to encrypt other disk partitions can be found here: [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html Encrypting Disk Partitions with FreeBSD]
|
|
Information on how to encrypt other disk partitions can be found here: [Encrypting Disk Partitions with FreeBSD](http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html)
|
|
|
|
|
|
'''OpenBSD'''
|
|
**OpenBSD**
|
|
|
|
|
|
For many releases, it has been very easy to encrypt swap space in OpenBSD.
|
|
For many releases, it has been very easy to encrypt swap space in OpenBSD.
|
|
|
|
|
|
You can enable it dynamically by setting `sysctl -w vm.swapencrypt.enable=1` or editing `/etc/sysctl.conf` to permanently make the change:
|
|
You can enable it dynamically by setting `sysctl -w vm.swapencrypt.enable=1` or editing `/etc/sysctl.conf` to permanently make the change:
|
|
|
|
|
|
{{{
|
|
```
|
|
vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap
|
|
vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap
|
|
}}}
|
|
```
|
|
Here are instructions on setting up an encrypted virtual filesystem: http://www.backwatcher.org/writing/howtos/obsd-encrypted-filesystem.html
|
|
Here are instructions on setting up an encrypted virtual filesystem: http://www.backwatcher.org/writing/howtos/obsd-encrypted-filesystem.html
|
|
|
|
|
|
In addition to encrypted filesystems, keeping temporary files in a memory file system is an option. This means you're using system memory as a hard drive and when the partition is unmounted the files stored are lost.
|
|
In addition to encrypted filesystems, keeping temporary files in a memory file system is an option. This means you're using system memory as a hard drive and when the partition is unmounted the files stored are lost.
|
|
|
|
|
|
Adding the following to /etc/fstab, where `/dev/wd0b` is your swap, creates two 74M MFS partitions for `/tmp` and `/var/tmp`:
|
|
Adding the following to /etc/fstab, where `/dev/wd0b` is your swap, creates two 74M MFS partitions for `/tmp` and `/var/tmp`:
|
|
|
|
|
|
{{{
|
|
```
|
|
/dev/wd0b /tmp mfs rw,nodev,nosuid,-s=153600 0 0
|
|
/dev/wd0b /tmp mfs rw,nodev,nosuid,-s=153600 0 0
|
|
/dev/wd0b /var/tmp mfs rw,nodev,nosuid,-s=153600 0 0
|
|
/dev/wd0b /var/tmp mfs rw,nodev,nosuid,-s=153600 0 0
|
|
}}}
|
|
```
|
|
'''Windows'''
|
|
**Windows**
|
|
|
|
|
|
{{{
|
|
```
|
|
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
|
|
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
|
|
Shutdown: Clear virtual memory pagefile
|
|
Shutdown: Clear virtual memory pagefile
|
|
}}}
|
|
```
|
|
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system.
|
|
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system.
|
|
|
|
|
|
For Windows 95/NT visit http://www.stack.nl/~galactus/remailers/wipeswap.html.
|
|
For Windows 95/NT visit http://www.stack.nl/~galactus/remailers/wipeswap.html.
|
|
|
|
|
|
For Windows 2000/2003/XP and the 64bit versions of these (running FAT/FAT32/NFTS): The open source project [http://www.truecrypt.org/ TrueCrypt] with its extensions [http://www.truecrypt.org/third-party-projects/tcgina/ TCGINA] and [http://www.truecrypt.org/third-party-projects/tctemp/ TCTEMP] allows transparent encryption with e.g. AES, Twofish, Blowfish of Windows' temporary files directory, user profiles and general data containers. Therefore with TrueCrypt/TCGINA/TCTEMP you will be able to ensure that any sensitive files (including the server's private key and swap space) are stored inside encrypted containers as recommended above. A step by step explanation how to install and set this up can can be found http://sjspublications.supersized.org/archives/1-Use-Truecrypt-to-Make-Your-Windows-TORServer-Safer.html.
|
|
For Windows 2000/2003/XP and the 64bit versions of these (running FAT/FAT32/NFTS): The open source project [TrueCrypt](http://www.truecrypt.org/) with its extensions [TCGINA](http://www.truecrypt.org/third-party-projects/tcgina/) and [TCTEMP](http://www.truecrypt.org/third-party-projects/tctemp/) allows transparent encryption with e.g. AES, Twofish, Blowfish of Windows' temporary files directory, user profiles and general data containers. Therefore with TrueCrypt/TCGINA/TCTEMP you will be able to ensure that any sensitive files (including the server's private key and swap space) are stored inside encrypted containers as recommended above. A step by step explanation how to install and set this up can can be found http://sjspublications.supersized.org/archives/1-Use-Truecrypt-to-Make-Your-Windows-TORServer-Safer.html.
|
|
|
|
|
|
[http://www.jetico.com/index.htm#/bcrypt7.htm BestCrypt] is similar to TrueCrypt but does not offer as many features. BestCrypt also creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters.
|
|
[BestCrypt](http://www.jetico.com/index.htm#/bcrypt7.htm) is similar to TrueCrypt but does not offer as many features. BestCrypt also creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters.
|
|
|
|
|
|
Microsoft resource document for the [http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_qutx.asp Encrypted File System] (NTFS only)
|
|
Microsoft resource document for the [Encrypted File System](http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_qutx.asp) (NTFS only)
|
|
|
|
|
|
To use EFS built into Windows XP Professional, browse to Documents and settings\<username>\Application Data and right click on the Tor directory and select Properties. In the general tab click on the Advanced tab and tick the "Encrypt contents to secure data" See the Microsoft resource document above for me details.
|
|
To use EFS built into Windows XP Professional, browse to Documents and settings\<username>\Application Data and right click on the Tor directory and select Properties. In the general tab click on the Advanced tab and tick the "Encrypt contents to secure data" See the Microsoft resource document above for me details.
|
|
|
|
|
|
{{{
|
|
```
|
|
TODO: Give instructions on setting up encrypted filesystems and swap on
|
|
TODO: Give instructions on setting up encrypted filesystems and swap on
|
|
various OSs (hopefully including OS X).
|
|
various OSs (hopefully including OS X).
|
|
}}}
|
|
```
|
|
'''OS X Instructions (Tiger)'''
|
|
**OS X Instructions (Tiger)**
|
|
|
|
|
|
1.Turning Encrypted Swap On *Apple Menu -> System Preferences -> Security *Check the 2nd last box "Use secure virtual memory" *Close System Preferences
|
|
1.Turning Encrypted Swap On *Apple Menu -> System Preferences -> Security *Check the 2nd last box "Use secure virtual memory" *Close System Preferences
|
|
|
|
|
... | @@ -106,24 +106,24 @@ various OSs (hopefully including OS X). |
... | @@ -106,24 +106,24 @@ various OSs (hopefully including OS X). |
|
|
|
|
|
* Drag-and-drop the files you want encrypted into the newly created image
|
|
* Drag-and-drop the files you want encrypted into the newly created image
|
|
|
|
|
|
== Follow all Security Updates for Your Operating System ==
|
|
## Follow all Security Updates for Your Operating System
|
|
This is probably one of easiest, and most important, things you can do.
|
|
This is probably one of easiest, and most important, things you can do.
|
|
|
|
|
|
Also, if your operating system has support for signed updates, you should make sure that you enable it.
|
|
Also, if your operating system has support for signed updates, you should make sure that you enable it.
|
|
|
|
|
|
== Physical Security ==
|
|
## Physical Security
|
|
Make sure that the machine running your Tor server is physically secure. If it is in a cabinet or rack in a colocation facility, make sure the door(s) is/are locked. If it is in a machine room in your office, make sure the door to the machine room is locked.
|
|
Make sure that the machine running your Tor server is physically secure. If it is in a cabinet or rack in a colocation facility, make sure the door(s) is/are locked. If it is in a machine room in your office, make sure the door to the machine room is locked.
|
|
|
|
|
|
Keep in mind that DDR memory chips can retain its contents for one or two minutes if they are freezed immediately after powering off. The best solution is to wipe whole memory contents during shutdown to avoid revealing passwords that are stored in plain text in memory. You can also prevent the attacker to boot quickly your machine by locking USB ports and removing CD drive from machine.
|
|
Keep in mind that DDR memory chips can retain its contents for one or two minutes if they are freezed immediately after powering off. The best solution is to wipe whole memory contents during shutdown to avoid revealing passwords that are stored in plain text in memory. You can also prevent the attacker to boot quickly your machine by locking USB ports and removing CD drive from machine.
|
|
|
|
|
|
Additionally, make sure your backup media are physically secure. For example, you might keep backup tapes in a safe deposit box at your bank.
|
|
Additionally, make sure your backup media are physically secure. For example, you might keep backup tapes in a safe deposit box at your bank.
|
|
|
|
|
|
== Eliminate All Unnecessary Services and User Accounts ==
|
|
## Eliminate All Unnecessary Services and User Accounts
|
|
Ensure that your Tor server is not running any unnecessary services. Many (well, most) operating systems come out of the box with extraneous services running by default. Turn them off. Ideally, your Tor server would run on a dedicated machine with no user accounts and no services other than Tor itself.
|
|
Ensure that your Tor server is not running any unnecessary services. Many (well, most) operating systems come out of the box with extraneous services running by default. Turn them off. Ideally, your Tor server would run on a dedicated machine with no user accounts and no services other than Tor itself.
|
|
|
|
|
|
If you must run other services, lock them down to the extent possible. For example, you can set OpenSSH to only allow certain user accounts to connect with the AllowUsers option, or you can firewall your system such that only certain IP addresses are allowed to connect to the SSH service on your server. The same applies for most HTTP servers.
|
|
If you must run other services, lock them down to the extent possible. For example, you can set OpenSSH to only allow certain user accounts to connect with the AllowUsers option, or you can firewall your system such that only certain IP addresses are allowed to connect to the SSH service on your server. The same applies for most HTTP servers.
|
|
|
|
|
|
== Restrict SSH Access ==
|
|
## Restrict SSH Access
|
|
Restrict/harden SSH access by:
|
|
Restrict/harden SSH access by:
|
|
|
|
|
|
*Dropping weak and/or tainted key algorithms (re: Anything with "DSA" in the name) in favor of 4096-bit RSA keys or Ed25519.
|
|
*Dropping weak and/or tainted key algorithms (re: Anything with "DSA" in the name) in favor of 4096-bit RSA keys or Ed25519.
|
... | @@ -131,11 +131,11 @@ Restrict/harden SSH access by: |
... | @@ -131,11 +131,11 @@ Restrict/harden SSH access by: |
|
*Enforcing forward secrecy on the key exchange.
|
|
*Enforcing forward secrecy on the key exchange.
|
|
|
|
|
|
1. First we need to open the ssh_config file.
|
|
1. First we need to open the ssh_config file.
|
|
{{{
|
|
```
|
|
sudo nano /etc/ssh/ssh_config
|
|
sudo nano /etc/ssh/ssh_config
|
|
}}}
|
|
```
|
|
The changes below need to be made.
|
|
The changes below need to be made.
|
|
{{{
|
|
```
|
|
Host *
|
|
Host *
|
|
# ForwardAgent no
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
# ForwardX11 no
|
... | @@ -179,15 +179,15 @@ Host * |
... | @@ -179,15 +179,15 @@ Host * |
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
|
}}}
|
|
```
|
|
Save and close the file and move to step 2.
|
|
Save and close the file and move to step 2.
|
|
|
|
|
|
2. Disable Root Login Via SSH.
|
|
2. Disable Root Login Via SSH.
|
|
{{{
|
|
```
|
|
sudo nano /etc/ssh/sshd_config
|
|
sudo nano /etc/ssh/sshd_config
|
|
}}}
|
|
```
|
|
Now the contents of your sshd_config can be replaced with the code below.
|
|
Now the contents of your sshd_config can be replaced with the code below.
|
|
{{{
|
|
```
|
|
# Package generated configuration file
|
|
# Package generated configuration file
|
|
# See the sshd_config(5) manpage for details
|
|
# See the sshd_config(5) manpage for details
|
|
|
|
|
... | @@ -276,15 +276,15 @@ Subsystem sftp /usr/lib/openssh/sftp-server |
... | @@ -276,15 +276,15 @@ Subsystem sftp /usr/lib/openssh/sftp-server |
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
#UsePAM yes
|
|
#UsePAM yes
|
|
}}}
|
|
```
|
|
|
|
|
|
Now save and close the file and your finished.
|
|
Now save and close the file and your finished.
|
|
|
|
|
|
|
|
|
|
== Reliability ==
|
|
## Reliability
|
|
Make sure your Tor server has good, battery-backed power and reliable network connectivity. Make sure to use stable operating system software and good quality hardware, so that the system does not suffer from undue crashes or other failures.
|
|
Make sure your Tor server has good, battery-backed power and reliable network connectivity. Make sure to use stable operating system software and good quality hardware, so that the system does not suffer from undue crashes or other failures.
|
|
|
|
|
|
== Minimize Data Retention ==
|
|
## Minimize Data Retention
|
|
Audit your server's logging configuration and reduce the amount of information logged as much as possible. Set your log rotation software to delete logs after as short a time as you can manage.
|
|
Audit your server's logging configuration and reduce the amount of information logged as much as possible. Set your log rotation software to delete logs after as short a time as you can manage.
|
|
|
|
|
|
Remember, you can recover deleted files as long as the space has not been overwritten. With mildly expensive computer forensics, you can recover even multiple pass overwrites.
|
|
Remember, you can recover deleted files as long as the space has not been overwritten. With mildly expensive computer forensics, you can recover even multiple pass overwrites.
|
... | @@ -293,29 +293,29 @@ The best policy is to keep no logs. If you must keep logs, consider rotating the |
... | @@ -293,29 +293,29 @@ The best policy is to keep no logs. If you must keep logs, consider rotating the |
|
|
|
|
|
EFF's best practices for online service providers https://www.eff.org/files/20040819_OSPBestPractices.pdf.
|
|
EFF's best practices for online service providers https://www.eff.org/files/20040819_OSPBestPractices.pdf.
|
|
|
|
|
|
== Install Tor and Other Software Carefully ==
|
|
## Install Tor and Other Software Carefully
|
|
Tor, and many other software packages, are released along with digital signatures. These signatures allow you to verify the integrity and authorship of the software. Download the signatures and verify them!
|
|
Tor, and many other software packages, are released along with digital signatures. These signatures allow you to verify the integrity and authorship of the software. Download the signatures and verify them!
|
|
|
|
|
|
If possible, read and audit the source code to applications you install, including Tor.
|
|
If possible, read and audit the source code to applications you install, including Tor.
|
|
|
|
|
|
== Blocking Bittorrent Activity ==
|
|
## Blocking Bittorrent Activity
|
|
Bittorrent is a bad thing for Tor, and dealing with abuse complaints can be a headache for the people who run exit nodes. BlockingBittorrent explains how you can block Bittorrent trackers on a Linux environment with a simple one-liner.
|
|
Bittorrent is a bad thing for Tor, and dealing with abuse complaints can be a headache for the people who run exit nodes. BlockingBittorrent explains how you can block Bittorrent trackers on a Linux environment with a simple one-liner.
|
|
|
|
|
|
== Operating System Paranoia ==
|
|
## Operating System Paranoia
|
|
Some operating systems come in "high security" flavors, such as [http://www.nsa.gov/selinux/ Security Enhanced Linux], [http://www.trustedbsd.org/ TrustedBSD] and [http://www.openbsd.org OpenBSD]. These systems offer advanced security mechanisms such as mandatory access control (MAC), application sandboxing, resource management knobs, and so on. Consider using them if they exist on your system and would help.
|
|
Some operating systems come in "high security" flavors, such as [Security Enhanced Linux](http://www.nsa.gov/selinux/), [TrustedBSD](http://www.trustedbsd.org/) and [OpenBSD](http://www.openbsd.org). These systems offer advanced security mechanisms such as mandatory access control (MAC), application sandboxing, resource management knobs, and so on. Consider using them if they exist on your system and would help.
|
|
|
|
|
|
== Run Tor and Other Services in a Restricted Environment ==
|
|
## Run Tor and Other Services in a Restricted Environment
|
|
See Steven J Murdoch's guide to [wiki:doc/TorInChroot running Tor in a chroot] and/or [wiki:doc/OpenbsdChrootedTor running Tor in an OpenBSD chroot].
|
|
See Steven J Murdoch's guide to [running Tor in a chroot](./doc/TorInChroot) and/or [running Tor in an OpenBSD chroot](./doc/OpenbsdChrootedTor).
|
|
|
|
|
|
Chroot is a good jail for root privilege processes only on FreeBSD 4.x or newer. On other platforms, chroot is a [http://www.bpfh.net/simes/computing/chroot-break.html corruptible jail] ! For those not reading this link, you need to know that the corruption works with a hole in tor, and a hole in the platform to get root privileges. If you do not run Tor as root, nor provide any suid executables within the chroot environment you are not at risk.
|
|
Chroot is a good jail for root privilege processes only on FreeBSD 4.x or newer. On other platforms, chroot is a [corruptible jail](http://www.bpfh.net/simes/computing/chroot-break.html) ! For those not reading this link, you need to know that the corruption works with a hole in tor, and a hole in the platform to get root privileges. If you do not run Tor as root, nor provide any suid executables within the chroot environment you are not at risk.
|
|
|
|
|
|
'''Run Tor with Systrace in OpenBSD'''
|
|
**Run Tor with Systrace in OpenBSD**
|
|
|
|
|
|
You can use this with or without chrooting tor. You can use this with other operating systems that systrace supports such as GNU/Linux. You will probably have to change some of the file locations.
|
|
You can use this with or without chrooting tor. You can use this with other operating systems that systrace supports such as GNU/Linux. You will probably have to change some of the file locations.
|
|
|
|
|
|
Running 'systrace -A tor' will generate a default policy for you (note: this provides no protection at this point). After you have a generated policy, you can use this one below to refine it. After you have it configured for your system, then when you run systrace with -a it will enforce the policy which provides protection.
|
|
Running 'systrace -A tor' will generate a default policy for you (note: this provides no protection at this point). After you have a generated policy, you can use this one below to refine it. After you have it configured for your system, then when you run systrace with -a it will enforce the policy which provides protection.
|
|
|
|
|
|
{{{
|
|
```
|
|
Policy: /bin/tor, Emulation: native
|
|
Policy: /bin/tor, Emulation: native
|
|
native-__sysctl: permit
|
|
native-__sysctl: permit
|
|
native-break: permit
|
|
native-break: permit
|
... | @@ -415,12 +415,12 @@ Policy: /bin/tor, Emulation: native |
... | @@ -415,12 +415,12 @@ Policy: /bin/tor, Emulation: native |
|
# Match ports 10000 - 65535
|
|
# Match ports 10000 - 65535
|
|
native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit
|
|
native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit
|
|
|
|
|
|
}}}
|
|
```
|
|
'''Grsecurity'''
|
|
**Grsecurity**
|
|
|
|
|
|
[http://www.grsecurity.net GrSecurity] ACL policy. Tested with the Debian package.
|
|
[GrSecurity](http://www.grsecurity.net) ACL policy. Tested with the Debian package.
|
|
|
|
|
|
{{{
|
|
```
|
|
subject /usr/sbin/tor o {
|
|
subject /usr/sbin/tor o {
|
|
/ h
|
|
/ h
|
|
/var/lib/tor rwcdl
|
|
/var/lib/tor rwcdl
|
... | @@ -440,23 +440,23 @@ subject /usr/sbin/tor o { |
... | @@ -440,23 +440,23 @@ subject /usr/sbin/tor o { |
|
connect 0.0.0.0/0:443 stream tcp
|
|
connect 0.0.0.0/0:443 stream tcp
|
|
bind 127.0.0.1:9050 stream tcp
|
|
bind 127.0.0.1:9050 stream tcp
|
|
}
|
|
}
|
|
}}}
|
|
```
|
|
'''DropMyRights for Windows XP and Windows Server 2003 '''
|
|
**DropMyRights for Windows XP and Windows Server 2003 **
|
|
|
|
|
|
See [http://msdn.microsoft.com/en-us/library/ms972827.aspx Browsing the Web and Reading E-mail Safely as an Administrator]
|
|
See [Browsing the Web and Reading E-mail Safely as an Administrator](http://msdn.microsoft.com/en-us/library/ms972827.aspx)
|
|
|
|
|
|
"Windows XP and Windows Server 2003 and later support functionality called Software Restriction Policy, also known as SAFER, which allows a user or software developer to run code at a lower privilege without having the user enter credential information when the application starts. For example, an administrator could run an application as a normal user by stripping out certain SIDs and privileges from the application's token as the application is launched. Some applications, most notably Internet-facing applications, such as a Web browser, instant messaging, or e-mail client, should never be run under an administrative context."
|
|
"Windows XP and Windows Server 2003 and later support functionality called Software Restriction Policy, also known as SAFER, which allows a user or software developer to run code at a lower privilege without having the user enter credential information when the application starts. For example, an administrator could run an application as a normal user by stripping out certain SIDs and privileges from the application's token as the application is launched. Some applications, most notably Internet-facing applications, such as a Web browser, instant messaging, or e-mail client, should never be run under an administrative context."
|
|
|
|
|
|
{{{
|
|
```
|
|
TODO: discuss chroot, jail, systrace
|
|
TODO: discuss chroot, jail, systrace
|
|
}}}
|
|
```
|
|
== Other Resources ==
|
|
## Other Resources
|
|
* http://www.cert.org/security-improvement/
|
|
* http://www.cert.org/security-improvement/
|
|
* http://www.debian.org/doc/manuals/securing-debian-howto/
|
|
* http://www.debian.org/doc/manuals/securing-debian-howto/
|
|
* http://www.gentoo.org/proj/en/hardened/index.xml
|
|
* http://www.gentoo.org/proj/en/hardened/index.xml
|
|
* http://geodsoft.com/howto/harden/
|
|
* http://geodsoft.com/howto/harden/
|
|
* http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
|
|
* http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
|
|
|
|
|
|
== Credits ==
|
|
## Credits
|
|
* First version by Chris Palmer based on IRC conversation with Roger Dingledine.
|
|
* First version by Chris Palmer based on IRC conversation with Roger Dingledine.
|
|
* Wikified and mildly edited by Nick Mathewson. |
|
* Wikified and mildly edited by Nick Mathewson. |
|
|
|
\ No newline at end of file |