On Wed, Jun 18, 2014 at 3:01 AM, Alexander Fortin <[email protected]> wrote: > On 17. Juni 2014 at 23:56:43, Zack Weinberg ([email protected]) wrote: >> It would be nice if exit-relay mode enabled an HTTP "exit notice" as >> described at >> https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment. > > Point 4 says: "If you run your DirPort on port 80”. Should it be enabled only > when DirPort = 80?
Best practice as I understand it is that you should have an exit notice on all exit relays. What I'm not sure of is whether "DirPort 80 + DirPortFrontPage" is the recommended way to accomplish that. The CMU Tor exit uses a separate lighttpd install, I think primarily because we didn't know about DirPortFrontPage when we set it up. I can make a case either way - less software = less attack surface; separate install = compartmentalization. As long as we're talking about exits, a nice touch would be to include the reduced exit policy as an option ( https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy ); the ideal would be a three-way choice of not an exit / wide-open exit / reduced exit (no email or BitTorrent) plus a place to add local exit rules. >> Tor relays get pounded on by the script kiddies -- a degree of >> hardening is appropriate. I don't know if there are any stock Puppet >> "tighten security" modules [...] > > I don’t know of any such ‘security silver bullet module’ I am afraid :) I poked around in the Puppet module archive and found some; I'm not sure how good they are, though. > About the security enhancements, they are definitely interesting, but to me > seems > they are out of the scope of the ‘install relay’ Puppet module itself, and > also against > the usual modular approach of Puppet modules. First, my understanding is that > having a node with only Tor running is suggested, but not mandatory, but in > any > case, those enhancements are more suitable for a separate 'tor-security’ like > module that one may or may not be interested in. Yeah, I think if I were building this (regrettably, I don't have time to help more than I already have) there would be a "just install the software with configuration X" module, and then a "image this entire machine as a Tor relay" module that set up everything one might want. zw _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
