Re: [tor-bugs] #30445 [Community/Relays]: some suggestions to the tor relay guide

2019-11-08 Thread Tor Bug Tracker & Wiki 
#30445: some suggestions to the tor relay guide
--+--
 Reporter:  caioau|  Owner:  Nusenu
 Type:  enhancement   | Status:  closed
 Priority:  Medium|  Milestone:
Component:  Community/Relays  |Version:
 Severity:  Normal| Resolution:  user disappeared
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by nusenu):

 * status:  new => closed
 * resolution:   => user disappeared


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30445 [Community/Relays]: some suggestions to the tor relay guide

2019-05-30 Thread Tor Bug Tracker & Wiki 
#30445: some suggestions to the tor relay guide
--+
 Reporter:  caioau|  Owner:  Nusenu
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Community/Relays  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by nusenu):

 thanks for this suggestion but it is a bit outside the scope of the relay
 guide.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #30445 [Community/Relays]: some suggestions to the tor relay guide

2019-05-08 Thread Tor Bug Tracker & Wiki 
#30445: some suggestions to the tor relay guide
-+--
 Reporter:  caioau   |  Owner:  Nusenu
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Component:  Community/Relays
  Version:   |   Severity:  Normal
 Keywords:   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+--
 Hello, I have some suggestions that I did in my relays to be listed in the
 relay guide, they are:

 1. create a non root user add that user to sudo group: root acess should
 be disabled from ssh, so we need to create another user, the set
 PermitRootLogin no in the sshd_config

 2. ssh hardening
 2.1 get new ssh host keys:

 delete old keys (we cannot be sure if new keys were generated, so its good
 to generate new keys)

 {{{

 sudo -s
 cd /etc/ssh
 rm ssh_host_*
 ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key
 ssh-keygen -t ed25519 -f ssh_host_ed25519_key

 }}}

 2.2 disable insecure ssh ciphers: openssh uses some insecure ciphers, se
 in https://stribika.github.io/2015/01/04/secure-secure-shell.html

 just put the followings lines in the sshd_config

 {{{
 HostKeyAlgorithms ssh-ed25519-cert-...@openssh.com,ssh-rsa-
 cert-...@openssh.com,ssh-ed25519,ssh-rsa

 KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group16-sha512
 ,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

 Ciphers
 
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

 MACs hmac-sha2-512-...@openssh.com,hmac-
 sha2-256-...@openssh.com,umac-128-...@openssh.com

 }}}

 2.3 disable password authentication and only use public key
 authentication:

 in your machine run:

 ssh-keygen -t ed25519 -o -a 300 -f ~/.ssh/key

 then copy to the server:

 ssh-copy-id -i ~/.ssh/key user@server

 then try login in with the key ( -i points to the keyfile)

 then make sure that on the sshd_config has this settings:

 {{{
 PubkeyAuthentication yes
 PasswordAuthentication yes
 PermitEmptyPasswords no

 }}}

 2.4 (optional) change the default port, there are alot of bots trying to
 get in , so changing the port makes sense to make their job more difficult

 run: to get an random port number

 {{{
 python -c 'from random import SystemRandom as r;
 print(r().randint(49152,65535))'
 }}}

 the change it in the Port setting in the sshd_config

 2.5 limit the brute force, you can use fail2ban, but I find it simpler to
 use ufw and instead of allowing ssh use the limit.

 3.1 enable swap, sometimes when linux is out of memory then it kills the
 tor process, so creating swap prevents that, or even better use zram.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs