remove outdated tor relay security recommendations and update these wiki pages
While working on #24497 (moved) I wanted to link to existing security related recommendations and found:
https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity
IMHO these are severely outdated and give bad advises.
I'm proposing to remove some outdated content and if no one disagrees I'll proceed soon. I'll send email to tor-dev about this.
Activity
Maybe check those old pages for any salvageable info, then add it to the relays ops wiki, then remove the old pages? Here's the relay ops wiki: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide
Replying to alison:
Can do, and thanks for the reminder on this ticket! I'll add this to my todo list.
Replying to alison:
Maybe check those old pages for any salvageable info, then add it to the relays ops wiki, then remove the old pages? Here's the relay ops wiki: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide
I'd prefer if a security section would be on a separate page since the relay guide is already a long and ugly single-pager.
And I'm happy to review security recommendations.
-
Update: Looked over the pages and pulled out what I thought were relevant points, then rewrote the sections. Published it on https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/Security , a review would be greatly appreciated. :)
-
The idea is that the page can be used as a general overview of topics relating to relay security. As it stands it only features the valuable information that was extracted from the pages that this ticket notes, though I imagine there are likely things located in the wiki / the main doc which might find a suitable home there.
I understand it can quickly become a mess if it goes into OS specifics for every suggestion added, and things like the iptables config are already located elsewhere on the wiki. If there's another way you'd like to see it done I'm open to suggestions.
I'd propose:
-
lets limit the scope to tor in relay mode only (tor clients or tor onion services are not covered) - this is somewhat obvious since the page lifes under /TorRelayGuide
-
title "Tor Relay Security Best Practices"
-
have a (small) generic/high level section that applies to all platforms (because we can not cover every possible OS)
- this section will not include step-by-step instructions since it is OS independent
- the physical security section
- OS (hardware vs. virtual, OS level access authentication, pointer to auto-updates)
-
have a (bigger) section for tor
- primarily focuses on the tor daemon itself and its security relevant settings and recommendations
-
convey the order in which different options are preferred (example: bare metal installations are considered better than VPS installation)
-
consider the current installation steps as a baseline and tell people what they could do on top of that if they want to do better than that
-
include no-go's
-
avoid conflicting statements regarding disk encryption
-
maybe have something like levels
-
basic (default install as described per the guide + auto updates)
-
intermediate
-
high (runs on hardware, 2FA, offline master keys with signing key lifetime < 30day)
-
lets remove the following sections:
-
"Tor-only firewalling with iptables" (because we cover it generically for all platforms in the generic section)
-
Coldboot attacks (due to new offline master key section that mitigates this attack vector)
-
Replace section "Restricting SSH access" with a recommendation to use strong authentication (part of the generic section)
-
