wiki:doc/OperationalSecurity

Version 81 (modified by cypherpunks, 22 months ago) (diff)

add warning: This page contains outdated information.

Table of Contents

  1. Encrypt Storage and Swap Space
  2. Follow all Security Updates for Your Operating System
  3. Physical Security
  4. Eliminate All Unnecessary Services and User Accounts
  5. Restrict SSH Access
  6. Reliability
  7. Minimize Data Retention
  8. Install Tor and Other Software Carefully
  9. Blocking Bittorrent Activity
  10. Operating System Paranoia
  11. Run Tor and Other Services in a Restricted Environment
  12. Other Resources
  13. Credits

Warning: This page contains outdated information and has not been maintained in the recent past.

How to Run a Secure Tor Server

Encrypt Storage and Swap Space

Make sure that any sensitive files are stored on an encrypted filesystem and that file permissions are set correctly. With a Tor server, the only sensitive information is the server's private key (located in /usr/local/etc/tor/keys on Unix/Linux platforms; readable only by owner).

Additionally, swap space on the machine should be encrypted if your operating system has such an option. On some operating systems, it is possible to have swap space be a file on an encrypted filesystem.

Linux

2.6+ kernels

On Debian, running at least a 2.6.4 kernel, you can encrypt swap using the cryptsetup package.

Install cryptsetup: 

apt-get install cryptsetup

Assuming your swap partition is /dev/xvdb, first you need to disable swap and zero out the partition: 

swapoff /dev/xvdb
dd if=/dev/zero of=/dev/xvdb

Add the following to /etc/crypttab: 

swap /dev/xvdb /dev/random swap

Activate the mapping: 

service cryptdisks restart

Update your swap's /etc/fstab entry to point to the encrypted swap device: 

/dev/mapper/swap none swap defaults 0 0

Activate your encrypted swap: 

swapon /dev/xvdb

2.4 kernels

For 2.4 kernels you either need the loop-AES or the Cryptoloop patch. A forward port of the Cryptoloop patch is available here.

When compiling the kernel for cryptoloop include CONFIG_BLK_DEV_CRYPTOLOOP=y and the ciphers you want to support. For loop-aes only CONFIG_BLK_DEV_LOOP=y is necessary once the kernel has been patched.

Loop-AES on systems with VIA Padlock can use the hardware AES acceleration by building with the following arguments: 

make PADLOCK=y KEYSCRUB=y

Sample script to encrypt swap and /tmp. It encrypts /dev/hda2 (swap) and /dev/hda5 (/tmp) with AES. If you want a more complex setup (random ciphers etc) check out EncSwap. 

#!/bin/sh
pw(){
         dd if=/dev/urandom bs=1 count=256 2> /dev/null \
                  | head -n 2 | tail -n 1 | tr [+/=] 0-9
}

echo -n "Building encrypted swap-device... "
swapoff /dev/loop1
losetup -d /dev/loop1

pw | losetup -e aes -k 256 -p 0 /dev/loop1 /dev/hda2
mkswap /dev/loop1
swapon -p 1 /dev/loop1

echo -n "Building encrypted /tmp ... "
umount /dev/loop3
losetup -d /dev/loop3

pw | losetup -e aes -k 256 -p 0 /dev/loop3 /dev/hda5
mkfs -t ext2 /dev/loop3
mount -o nosuid,nodev -t ext2 /dev/loop3 /tmp
chmod 1777 /tmp

More details: Cryptoloop-HOWTO

After you compiled support for DM-CRYPT (Under Device Drivers---> Multi-Device Support (RAID and LVM)---> CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and the ciphers you want to support add the following to /etc/crypttab 

# <target device> <source device> <key file> <options>
swap                    /dev/hda2 /dev/urandom swap
tmp                     /dev/hda5 /dev/urandom tmp

where /dec/hda2 is your swap-device and /dev/hda5 is /tmp.

Your fstab should look like this: 

/dev/mapper/tmp /tmp            ext2    defaults        0       2
/dev/mapper/swap none           swap    sw              0       0

Note ext2 on /tmp.

Reboot. You should see something like 

Adding 104412k swap on /dev/mapper/swap.  Priority:1 extents:1

/proc/swaps should include 

/dev/mapper/swap                        partition       104412  0       1

Verify with dmsetup table --showkeys 

tmp: 0 979902 crypt aes-cbc-plain 9840530abe44eb49826aaaaaaaa4809e688a01f6a1c1cebc6caaaa6b2a4ad97d4 0 3:5 0
swap: 0 1959930 crypt aes-cbc-plain 3c2bbd7e5e500bca957a8dcb88754aaaaaa34986541aeaaafe3daa1542c3389e9 0 3:2 0

FreeBSD

Swap encryption has been possible with FreeBSD since 5.3-RELEASE.

Information on how to configure it can be found in the FreeBSD handbook: Encrypting Swap Space with FreeBSD

Information on how to encrypt other disk partitions can be found here: Encrypting Disk Partitions with FreeBSD

OpenBSD

For many releases, it has been very easy to encrypt swap space in OpenBSD.

You can enable it dynamically by setting sysctl -w vm.swapencrypt.enable=1 or editing /etc/sysctl.conf to permanently make the change: 

vm.swapencrypt.enable=1    # 1=Encrypt pages that go to swap

Here are instructions on setting up an encrypted virtual filesystem: http://www.backwatcher.org/writing/howtos/obsd-encrypted-filesystem.html

In addition to encrypted filesystems, keeping temporary files in a memory file system is an option. This means you're using system memory as a hard drive and when the partition is unmounted the files stored are lost.

Adding the following to /etc/fstab, where /dev/wd0b is your swap, creates two 74M MFS partitions for /tmp and /var/tmp: 

/dev/wd0b /tmp mfs rw,nodev,nosuid,-s=153600 0 0
/dev/wd0b /var/tmp mfs rw,nodev,nosuid,-s=153600 0 0

Windows 

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Shutdown: Clear virtual memory pagefile

When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled on a portable computer system.

For Windows 95/NT visit http://www.stack.nl/~galactus/remailers/wipeswap.html.

For Windows 2000/2003/XP and the 64bit versions of these (running FAT/FAT32/NFTS): The open source project TrueCrypt with its extensions TCGINA and TCTEMP allows transparent encryption with e.g. AES, Twofish, Blowfish of Windows' temporary files directory, user profiles and general data containers. Therefore with TrueCrypt/TCGINA/TCTEMP you will be able to ensure that any sensitive files (including the server's private key and swap space) are stored inside encrypted containers as recommended above. A step by step explanation how to install and set this up can can be found http://sjspublications.supersized.org/archives/1-Use-Truecrypt-to-Make-Your-Windows-TORServer-Safer.html.

BestCrypt is similar to TrueCrypt but does not offer as many features. BestCrypt also creates and supports encrypted virtual disks, which are visible as regular disks with corresponding drive letters.

Microsoft resource document for the Encrypted File System (NTFS only)

To use EFS built into Windows XP Professional, browse to Documents and settings\<username>\Application Data and right click on the Tor directory and select Properties. In the general tab click on the Advanced tab and tick the "Encrypt contents to secure data" See the Microsoft resource document above for me details. 

TODO: Give instructions on setting up encrypted filesystems and swap on
various OSs (hopefully including OS X).

OS X Instructions (Tiger)

1.Turning Encrypted Swap On *Apple Menu -> System Preferences -> Security *Check the 2nd last box "Use secure virtual memory" *Close System Preferences

2.Creating an Encrypted Filesystem *Finder -> Applications -> Utilities -> Disk Utility *Click "New Image" *Choose an appropriate location, name and size for the Image *Change the default encryption field from "none" to "AES-128" *Click on the "Create" button *Close Disk Utility after the image has been created

  • Drag-and-drop the files you want encrypted into the newly created image

Follow all Security Updates for Your Operating System

This is probably one of easiest, and most important, things you can do.

Also, if your operating system has support for signed updates, you should make sure that you enable it.

Physical Security

Make sure that the machine running your Tor server is physically secure. If it is in a cabinet or rack in a colocation facility, make sure the door(s) is/are locked. If it is in a machine room in your office, make sure the door to the machine room is locked.

Keep in mind that DDR memory chips can retain its contents for one or two minutes if they are freezed immediately after powering off. The best solution is to wipe whole memory contents during shutdown to avoid revealing passwords that are stored in plain text in memory. You can also prevent the attacker to boot quickly your machine by locking USB ports and removing CD drive from machine.

Additionally, make sure your backup media are physically secure. For example, you might keep backup tapes in a safe deposit box at your bank.

Eliminate All Unnecessary Services and User Accounts

Ensure that your Tor server is not running any unnecessary services. Many (well, most) operating systems come out of the box with extraneous services running by default. Turn them off. Ideally, your Tor server would run on a dedicated machine with no user accounts and no services other than Tor itself.

If you must run other services, lock them down to the extent possible. For example, you can set OpenSSH to only allow certain user accounts to connect with the AllowUsers option, or you can firewall your system such that only certain IP addresses are allowed to connect to the SSH service on your server. The same applies for most HTTP servers.

Restrict SSH Access

Restrict/harden SSH access by:

*Dropping weak and/or tainted key algorithms (re: Anything with "DSA" in the name) in favor of 4096-bit RSA keys or Ed25519.

*Enforcing forward secrecy on the key exchange.

  1. First we need to open the ssh_config file. 
    sudo nano /etc/ssh/ssh_config

The changes below need to be made. 

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    UseRoaming no
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    PubkeyAuthentication yes
    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr    
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

Save and close the file and move to step 2.

  1. Disable Root Login Via SSH. 
    sudo nano /etc/ssh/sshd_config

Now the contents of your sshd_config can be replaced with the code below. 

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
Hostkey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

Now save and close the file and your finished.

Reliability

Make sure your Tor server has good, battery-backed power and reliable network connectivity. Make sure to use stable operating system software and good quality hardware, so that the system does not suffer from undue crashes or other failures.

Minimize Data Retention

Audit your server's logging configuration and reduce the amount of information logged as much as possible. Set your log rotation software to delete logs after as short a time as you can manage.

Remember, you can recover deleted files as long as the space has not been overwritten. With mildly expensive computer forensics, you can recover even multiple pass overwrites.

The best policy is to keep no logs. If you must keep logs, consider rotating them and purging the old logs with an overwrite scheme such as Peter Gutmann's 35 pass overwrite using special patterns.

EFF's best practices for online service providers https://www.eff.org/files/20040819_OSPBestPractices.pdf.

Install Tor and Other Software Carefully

Tor, and many other software packages, are released along with digital signatures. These signatures allow you to verify the integrity and authorship of the software. Download the signatures and verify them!

If possible, read and audit the source code to applications you install, including Tor.

Blocking Bittorrent Activity

Bittorrent is a bad thing for Tor, and dealing with abuse complaints can be a headache for the people who run exit nodes. BlockingBittorrent explains how you can block Bittorrent trackers on a Linux environment with a simple one-liner.

Operating System Paranoia

Some operating systems come in "high security" flavors, such as Security Enhanced Linux, TrustedBSD and OpenBSD. These systems offer advanced security mechanisms such as mandatory access control (MAC), application sandboxing, resource management knobs, and so on. Consider using them if they exist on your system and would help.

Run Tor and Other Services in a Restricted Environment

See Steven J Murdoch's guide to running Tor in a chroot and/or running Tor in an OpenBSD chroot.

Chroot is a good jail for root privilege processes only on FreeBSD 4.x or newer. On other platforms, chroot is a corruptible jail ! For those not reading this link, you need to know that the corruption works with a hole in tor, and a hole in the platform to get root privileges. If you do not run Tor as root, nor provide any suid executables within the chroot environment you are not at risk.

Run Tor with Systrace in OpenBSD

You can use this with or without chrooting tor. You can use this with other operating systems that systrace supports such as GNU/Linux. You will probably have to change some of the file locations.

Running 'systrace -A tor' will generate a default policy for you (note: this provides no protection at this point). After you have a generated policy, you can use this one below to refine it. After you have it configured for your system, then when you run systrace with -a it will enforce the policy which provides protection. 

Policy: /bin/tor, Emulation: native
        native-__sysctl: permit
        native-break: permit
# Memory
        native-mmap: permit
        native-mprotect: permit
        native-mquery: permit
        native-munmap: permit
# Files
        native-chdir: filename eq "/var/lib/tor" then permit
        native-close: permit
        native-dup2: permit
        native-fcntl: permit
        native-fstat: permit
        native-getdirentries: permit
        native-ioctl: permit
        native-lseek: permit
        native-pread: permit
        native-read: permit
        native-write: permit
# File reads
        native-fsread: filename match "/<non-existent filename>: *" then deny
        native-fsread: filename eq "/dev/crypto" then permit
        native-fsread: filename eq "/dev/null" then permit
        native-fsread: filename eq "/dev/srandom" then permit
        native-fsread: filename eq "/etc/group" then permit
        native-fsread: filename eq "/etc/pwd.db" then permit
        native-fsread: filename eq "/etc/spwd.db" then permit
        native-fsread: filename eq "/etc/tor/torrc" then permit
        native-fsread: filename eq "/etc/malloc.conf" then permit
        native-fsread: filename eq "/etc/localtime" then permit
        native-fsread: filename eq "/usr/lib" then permit
        native-fsread: filename match "/usr/lib/libc.so*" then permit
        native-fsread: filename match "/usr/lib/libcrypto.so*" then permit
        native-fsread: filename match "/usr/lib/libssl.so*" then permit
        native-fsread: filename match "/usr/lib/libz.so*" then permit
        native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
        native-fsread: filename match "/usr/share/zoneinfo/*" then permit
        native-fsread: filename eq "/var/lib/tor" then permit
        native-fsread: filename match "/var/lib/tor/*" then permit
        native-fsread: filename eq "/var/log/tor" then permit
        native-fsread: filename match "/var/log/tor/*" then permit
# Time
        native-gettimeofday: permit
# User ID and group ID.  Change these as needed.
        native-getuid: permit
        native-setgid: gid eq "1001" then permit
        native-setuid: uid eq "1001" and uname eq "_tor" then permit
# Resource limits
        native-getrlimit: permit
        native-setrlimit: permit
# Process
        native-exit: permit
        native-fork: permit
        native-pipe: permit
# Permission bits
        native-getpid: permit
        native-geteuid: permit
        native-issetugid: permit
        native-setsid: permit
# Signals
        native-sigaction: permit
        native-sigprocmask: permit
        native-sigreturn: permit
# File writes
        native-fswrite: filename match "/<non-existent filename>: *" then deny
        native-fswrite: filename eq "/dev/crypto" then permit
        native-fswrite: filename eq "/dev/null" then permit
        native-fswrite: filename match "/var/log/tor/*" then permit
        native-fswrite: filename match "/var/lib/tor/*" then permit
        native-rename: filename match "/var/lib/tor/cached-directory*" and filename[1] match "/var/lib/tor/cached-directory*" then permit
# Networking
        native-bind: sockaddr eq "inet-[127.0.0.1]:9050" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
        native-setsockopt: permit
        native-listen: permit
        native-poll: permit
        native-getsockopt: permit
        native-accept: permit
        native-recvfrom: permit
        native-sendto: true then permit
# Without socketpair, you cannot access Tor hidden services.
        native-socketpair: permit
# List of ports to connect to.  These are needed for the server list and potentially
# using a tor server.
        native-connect: sockaddr match "inet-*:80" then permit
        native-connect: sockaddr match "inet-*:443" then permit
# Typically, tor servers are in the range of 8,000 - 10,000.  This below lets tor
# connect to any unpriv port.
# Match ports 1024 through 1999
        native-connect: sockaddr re "inet-.*:102[4-9]$" then permit
        native-connect: sockaddr re "inet-.*:10[3-9][0-9]$" then permit
        native-connect: sockaddr re "inet-.*:1[1-9][0-9]{2}$" then permit
# Match 2000 - 9999
        native-connect: sockaddr re "inet-.*:[2-9][0-9]{3}$" then permit
# Match ports 10000 - 65535
        native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit

Grsecurity

GrSecurity ACL policy. Tested with the Debian package. 

subject /usr/sbin/tor o {
        /                               h
        /var/lib/tor                    rwcdl
        /lib                            rx
        /usr/lib                        rx
        /dev/urandom                    r
        /dev/null                       rw
        /etc/tor                        r
        /var/log/tor                    rw
        /var/run/tor                    rwcdl

        -CAP_ALL

        connect 127.0.0.1:9050 stream tcp
        # Not very good, but since servers listen on different ports...
        connect 0.0.0.0/0:9001-9100 stream tcp
        connect 0.0.0.0/0:443 stream tcp
        bind    127.0.0.1:9050 stream tcp
}

DropMyRights for Windows XP and Windows Server 2003

See Browsing the Web and Reading E-mail Safely as an Administrator

"Windows XP and Windows Server 2003 and later support functionality called Software Restriction Policy, also known as SAFER, which allows a user or software developer to run code at a lower privilege without having the user enter credential information when the application starts. For example, an administrator could run an application as a normal user by stripping out certain SIDs and privileges from the application's token as the application is launched. Some applications, most notably Internet-facing applications, such as a Web browser, instant messaging, or e-mail client, should never be run under an administrative context." 

TODO: discuss chroot, jail, systrace

Other Resources

Credits

  • First version by Chris Palmer based on IRC conversation with Roger Dingledine.
  • Wikified and mildly edited by Nick Mathewson.