[tor-relays] Debian relay Puppet module

[Zack Weinberg]

On Sun, Jun 15, 2014 at 7:31 AM, Alexander Fortin
<alexander.fortin at gmail.com> wrote:
>
> I’ve recently joined the Tor Project and I have been running a non exit relay for a few days.
>
> I’m also a Puppet user and, more in general, I try to make deploying applications
> on the servers I administer as easy as possibile, Tor included.
>
> I think Tor documentation to install on a Debian server is quite good, but I still prefer to
> have Puppet doing that for me, and I’m quite sure every Puppet user out there would think
> the same.

Hey, thanks for doing this!  I have kinda wanted to put something
similar together for a while but haven't had the time.  Here are some
thoughts, in no particular order:

Why do you disable directory mirroring?  It's my understanding that
this should basically always be on.

It would be nice if exit-relay mode enabled an HTTP "exit notice" as
described at https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment.

Tor relays get pounded on by the script kiddies -- a degree of
hardening is appropriate.  I don't know if there are any stock Puppet
"tighten security" modules but these are the things that I remember
having done to mine.  Note that my relays serve no other traffic and
have no non-root user accounts; some of these configuration choices
may be inappropriate for multi-use machines.

 - install fail2ban and ufw; firewall incoming traffic to ports other
than 9001, 9030, and 22 (ssh) (I don't think the marginal benefit of
moving ssh to a nonstandard port is worth the hassle).
 - sshd_config configuration tuning: beware that this will lock out
any user account with no SSH authorized_keys!

   Protocol 2
   UsePrivilegeSeparation yes
   PermitRootLogin without-password
   PasswordAuthentication no
   ChallengeResponseAuthenticatio
n no
   HostbasedAuthentication no
   IgnoreRhosts yes
   StrictModes yes
   X11Forwarding no
   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com

- install logcheck and nullmailer; set /etc/nullmailer/adminaddr and
/etc/nullmailer/remotes to values assigned in Puppet configuration;
symlink /etc/nullmailer/helohost to /etc/hostname.  (ufw and sshd will
emit a great deal of chatter due to people knocking on the machine.  I
have custom ignore.d.server files to shut them up - basically I've set
it to mail me only on *successful* logins.  Let me know if you want
'em.)

- install unattended-upgrades and configure it to auto-upgrade
everything.  Unfortunately, the unattended-upgrades documentation is
at pains to avoid explaining how to do that; this is what I have in
/etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Origins-Pattern {
        "o=Debian,a=stable";
        "o=Debian,a=stable-updates";
        "o=TorProject,a=stable";
};
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Mail "root"
Unattended-Upgrade::MailOnlyOnError "true";

- I'd *like* to recommend pulling libssl from testing, but right now
that also means upgrading libc, which seems unwise.

- I'd also like to recommend a kernel enhanced-security module, but I
was unable to get SELinux to the point where I could turn enforcement
on without breaking boot (and when I finally gave up and purged it,
the relay I was testing that on sped up by 15%!), AppArmor seems too
half-assed to actually be worth it, and Debian doesn't have grsec
kernel packages.

zw