Opened 5 months ago

Last modified 4 months ago

#30445 new enhancement

some suggestions to the tor relay guide

Reported by: caioau Owned by: Nusenu
Priority: Medium Milestone:
Component: Community/Relays Version:
Severity: Normal Keywords:
Cc: nusenu, ggus Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hello, I have some suggestions that I did in my relays to be listed in the relay guide, they are:

  1. create a non root user add that user to sudo group: root acess should be disabled from ssh, so we need to create another user, the set PermitRootLogin no in the sshd_config
  1. ssh hardening

2.1 get new ssh host keys:

delete old keys (we cannot be sure if new keys were generated, so its good to generate new keys)

sudo -s
cd /etc/ssh
rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key
ssh-keygen -t ed25519 -f ssh_host_ed25519_key

2.2 disable insecure ssh ciphers: openssh uses some insecure ciphers, se in https://stribika.github.io/2015/01/04/secure-secure-shell.html

just put the followings lines in the sshd_config

HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com 

2.3 disable password authentication and only use public key authentication:

in your machine run:

ssh-keygen -t ed25519 -o -a 300 -f ~/.ssh/key

then copy to the server:

ssh-copy-id -i ~/.ssh/key user@server

then try login in with the key ( -i points to the keyfile)

then make sure that on the sshd_config has this settings:

PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no

2.4 (optional) change the default port, there are alot of bots trying to get in , so changing the port makes sense to make their job more difficult

run: to get an random port number

python -c 'from random import SystemRandom as r; print(r().randint(49152,65535))'

the change it in the Port setting in the sshd_config

2.5 limit the brute force, you can use fail2ban, but I find it simpler to use ufw and instead of allowing ssh use the limit.

3.1 enable swap, sometimes when linux is out of memory then it kills the tor process, so creating swap prevents that, or even better use zram.

Child Tickets

Change History (1)

comment:1 Changed 4 months ago by nusenu

thanks for this suggestion but it is a bit outside the scope of the relay guide.

Note: See TracTickets for help on using tickets.