wiki:doc/OperationalSecurity

Version 5 (modified by trac, 9 years ago) (diff)

--

##language:en

How to Run a Secure Tor Server

Encrypt Storage and Swap Space

Make sure that any sensitive files are stored on an encrypted filesystem and that file permissions are set correctly. With a Tor server, the only sensitive information is the server's private key (located in /usr/local/etc/tor/keys on Unix/Linux platforms; readable only by owner).

Additionally, swap space on the machine should be encrypted if your operating system has such an option. On some operating systems, it is possible to have swap space be a file on an encrypted filesystem.

Linux

For 2.4 kernels you either need the loop-AES or the Cryptoloop patch. A forward port of the Cryptoloop patch is available here.

When compiling the kernel include CONFIG_BLK_DEV_CRYPTOLOOP=y and the ciphers you want to support.

Sample script to encrypt swap and /tmp. It encrypts /dev/hda2 (swap) and /dev/hda5 (/tmp) with AES. If you want a more complex setup (random chipers etc) check out EncSwap.

#!/bin/sh
pw(){
         dd if=/dev/urandom bs=1 count=256 2> /dev/null \
                  | head -n 2 | tail -n 1 | tr [+/=] 0-9
}

echo -n "Building encrypted swap-device... "
swapoff /dev/loop1 
losetup -d /dev/loop1 

pw | losetup -e aes -k 256 -p 0 /dev/loop1 /dev/hda2 
mkswap /dev/loop1 
swapon -p 1 /dev/loop1

echo -n "Building encrypted /tmp ... "
umount /dev/loop3 
losetup -d /dev/loop3 

pw | losetup -e aes -k 256 -p 0 /dev/loop3 /dev/hda5 
mkfs -t ext2 /dev/loop3 
mount -o nosuid,nodev -t ext2 /dev/loop3 /tmp 
chmod 1777 /tmp 

More details: Cryptoloop-HOWTO

On Debian, running at least a 2.6.4 kernel, encrypting swap is simple as doing a aptitude/apt-get install cryptsetup. After you compiled support for DM-CRYPT (CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and the ciphers you want to support add the following to /etc/crypttab

# <target device> <source device> <key file> <options>
swap                    /dev/hda2 /dev/urandom swap

where /dec/hda2 is your swap-device. Reboot. You should see something like

Adding 104412k swap on /dev/mapper/swap.  Priority:1 extents:1

/proc/swaps should include

/dev/mapper/swap                        partition       104412  0       1

A quick and dirty script to encrypt /tmp which is located on /dev/hda5 in this example:

#
# dmcrypt /tmp
#
cryptsetup remove tmp 2> /dev/null > /dev/null
echo -n "Encrypting /tmp ..."
cryptsetup -d /dev/urandom create tmp /dev/hda5
mkfs.ext2 /dev/mapper/tmp  2> /dev/null > /dev/null
echo " Done"

OpenBSD

For many releases, it has been very easy to encrypt swap space in OpenBSD.

You can enable it dynamically by setting sysctl -w vm.swapencrypt.enable=1 or editing /etc/sysctl.conf to permanently make the change:

vm.swapencrypt.enable=1        # 1=Encrypt pages that go to swap

Here are instructions on setting up an encrypted virtual filesystem: http://www.backwatcher.org/writing/howtos/obsd-encrypted-filesystem.html

Windows

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Shutdown: Clear virtual memory pagefile

When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system.

For Windows 95/NT visit http://www.stack.nl/~galactus/remailers/wipeswap.html.

'BestCrypt creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters' BestCrypt

Microsoft resource document for the Encrypted File System (NTFS only)

TODO: Give instructions on setting up encrypted filesystems and swap on
various OSs (hopefully including OS X and Windows).

Follow all Security Updates for Your Operating System

This is probably one of easiest, and most important, things you can do.

Also, if your operating system has support for signed updates, you should make sure that you enable it.

Physical Security

Make sure that the machine running your Tor server is physically secure. If it is in a cabinet or rack in a colocation facility, make sure the door(s) is/are locked. If it is in a machine room in your office, make sure the do to the machine room is locked.

Additionally, make sure your backup media are physically secure. For example, you might keep backup tapes in a safe deposit box at your bank.

Eliminate All Unnecessary Services and User Accounts

Ensure that your Tor server is not running any unnecessary services. Many (well, most) operating systems come out of the box with extraneous services running by default. Turn them off. Ideally, your Tor server would run on a dedicated machine with no user accounts and no services other than Tor itself.

If you must run other services, lock them down to the extent possible. For example, you can set OpenSSH to allow only certain user accounts to connect, or you can firewall your system such that only certain IP addresses are allowed to connect to the SSH service on your server. The same applies for most HTTP servers.

Reliability

Make sure your Tor server has good, battery-backed power and reliable network connectivity. Make sure to use stable operating system software and good quality hardware, so that the system does not suffer from undue crashes or other failures.

Minimize Data Retention

Audit your server's logging configuration and reduce the amount of information logged as much as possible. Set your log rotation software to delete logs after as short a time as you can manage.

If possible, keep no logs.

EFF's best practices for online service providers pdf.

Install Tor and Other Software Carefully

Tor, and many other software packages, are released along with digital signatures. These signatures allow you to verify the integrity and authorship of the software. Download the signatures and verify them!

If possible, read and audit the source code to applications you install, including Tor.

Operating System Paranoia

Some operating systems come in "high security" flavors, such as Security Enhanced Linux, TrustedBSD and OpenBSD. These systems offer advanced security mechanisms such as mandatory access control (MAC), application sandboxing, resource management knobs, and so on. Consider using them if they exist on your system and would help.

Run Tor and Other Services in a Restricted Environment

See Steven J Murdoch's guide to [:TheOnionRouter/TorInChroot: running Tor in a chroot] and/or [:TheOnionRouter/OpenbsdChrootedTor: running Tor in an OpenBSD chroot].

Grsecurity

GrSecurity ACL policy. Tested with the Debian package.

subject /usr/sbin/tor o {
        /                               h
        /var/lib/tor                    rwcdl   
        /lib                            rx      
        /usr/lib                        rx      
        /dev/null                       rw      
        /etc/tor                        r       
        /var/log/tor                    rw      
        /var/run/tor                    rwcdl   
        -CAP_ALL
} 
TODO: discuss chroot, jail, systrace

Other Resources

Securing Debian HOWTO

Hardened Gentoo

Harden OpenBSD

TODO: Links to other "how to lock down a server" documents.

Credits

  • First version by Chris Palmer based on IRC conversation with Roger Dingledine.
  • Wikified and mildly edited by Nick Mathewson.