[tor-relays] fedora bridge recipe 2nd suggestion update.

Carlos eff_03675549 at posteo.se
Mon Apr 8 18:36:40 UTC 2024 

Hi,


this is a suggestion for improving page :

https://community.torproject.org/relay/setup/bridge/post-install/

where the page states :


See the file |obfs4_bridgeline.txt|, which is found inside Tor Data 
Directory, for example, in Debian/Ubuntu 
|/var/lib/tor/pt_state/obfs4_bridgeline.txt| or FreeBSD 
|/var/db/tor/pt_state/obfs4_bridgeline.txt|.


I believe this is now time to keep a standard with the pattern of 
respect that the recipe has had for the diversity of OS-communities and 
push this to state in hard:


See the file |obfs4_bridgeline.txt|, which is found inside Tor Data 
Directory:
in Debian / Ubuntu / Fedora |/var/lib/tor/pt_state/obfs4_bridgeline.txt|

in FreeBSD |/var/db/tor/pt_state/obfs4_bridgeline.txt|.


(My personal experience is that under DEBIAN BOOKWORM (12) at least, the 
directory |/var/lib/tor/pt_state/ |DOES NOT EXIST
this is infuriating when having set up the entire Bridge in deep study 
of the torproject recipe, the fatal outcome is that the Bridge is 
running yet the Bridge line is uncomposable for publication: Debian 12 
is a standard, and Debian 11 becomes a dangerous OS to rely on: the 
bridge-line pt_state folder-issue must be urgently resolved!).


also the page :

source url : https://bridges.torproject.org/info

does not give clean examples of the exact torrc statement with the 
present double-quote (eg. "Settings") and this is very confusing for 
those who capitalize the first letter when the standard on pages I visit 
are often all in small letters:

|BridgeDistribution moat

|

would illustrate the standard to adopt and avoid potentially wasting 
time at every new Bridge being attempted by operators.



Perhaps keeping this good habit of looking what else is, to secure a 
basic tor server (after all the actual recipe mentions Unbound, ufw, 
firewalld, ... ) the torproject could push a step further and remind a 
concise, minimal yet expected standard (for every OS)
- in changing openssh ssh port 22 for any other port TODO,

- in setting up ed25519 only,

- in setting up fail2ban to jail any TOR EXIT IPs, ... .

Truely, with little experience of mine, INFLATION BOMBS and local 
infrastructure hacking attacks have repeatedly used Tor to (dDOS-) 
attack Tor Relays from EXIT nodes.


Carlos.


-- 
PGP updated every second week : please actualize our communication every time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240408/9488d1f9/attachment-0001.htm>

More information about the tor-relays mailing list