-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Me do wonder, if it has an advantage or not. - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
On 28 Apr 2016, at 18:21, Toralf Förster toralf.foerster@gmx.de wrote:
Signed PGP part Me do wonder, if it has an advantage or not.
Ports in, or ports out?
Closing inbound ports is a security precaution, but don't close ssh by mistake!
Closing outbound ports is a bad idea, because other Tor relays can choose any port for their ORPort and DirPort.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 04/28/2016 11:14 AM, Tim Wilson-Brown - teor wrote:
Ports in, or ports out?
Ports in I meant, sry.
Closing inbound ports is a security precaution
The question is - if there's no program listening on that port, does filtering that in-port has any effect ?
but don't close ssh by mistake!
:-D
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
On 28 Apr 2016, at 19:18, Toralf Förster toralf.foerster@gmx.de wrote:
Signed PGP part On 04/28/2016 11:14 AM, Tim Wilson-Brown - teor wrote:
Ports in, or ports out?
Ports in I meant, sry.
Closing inbound ports is a security precaution
The question is - if there's no program listening on that port, does filtering that in-port has any effect ?
Normally, when there is a connection attempt to a closed port, your OS will reply and let the other end know the port is closed. With iptables, you can blackhole (drop) these requests instead. Or you can log them.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
The likes of GRC.COM make you think that any port not blocked, stealth is bad. I wondered why if nothing there. But you can never be certain there is nothing.
I have my TOR Exit node on separate IP form my main server, shared on eth0 as eth0:1 I would like to close as many ports as possible on the second TOR IP, including stopping ping, but the VPS settings of the firewall opens up ports per interface, which is not much good.
I have hunted around for days and cannot find an answer, probably because it is bleeding obvious: What's the IP chains command that opens ports per server IP address?
Currently the rules are thus: -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9051 -j ACCEPT Which opens up those TOR ports on BOTH my IPs, not what I want (OK torrc is listening to the second IP, but that is fiddly to set up for each service)
I want my normal ports to be open on 1st IP and shut on second IP.
Apologies that IPCHAINS little off topic.
Gerry -----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Tim Wilson-Brown - teor Sent: 28 April 2016 10:29 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] does it make sense to close unused ports at a tor relay with iptables ?
On 28 Apr 2016, at 19:18, Toralf Förster toralf.foerster@gmx.de wrote:
Signed PGP part On 04/28/2016 11:14 AM, Tim Wilson-Brown - teor wrote:
Ports in, or ports out?
Ports in I meant, sry.
Closing inbound ports is a security precaution
The question is - if there's no program listening on that port, does filtering that in-port has any effect ?
Normally, when there is a connection attempt to a closed port, your OS will reply and let the other end know the port is closed. With iptables, you can blackhole (drop) these requests instead. Or you can log them.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B ricochet:ekmygaiu4rzgsk6n
On 28/04/16 14:33, Dr Gerard Bulger wrote:
Currently the rules are thus: -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9051 -j ACCEPT Which opens up those TOR ports on BOTH my IPs, not what I want (OK torrc is listening to the second IP, but that is fiddly to set up for each service)
I want my normal ports to be open on 1st IP and shut on second IP.
to block per IP Address you can amend to use the following form:
-A INPUT -p tcp -m tcp -d <your tor IP> --dport 9030 -j ACCEPT -A INPUT -p tcp -m tcp -d <your tor IP> --dport 9051 -j ACCEPT
P.S. this email is not GnuPG signed because I'm having issues with enigmail, ubuntu, gpg-agent and yubikey
The likes of GRC.COM http://grc.com/ make you think that any port not
blocked... is bad.
I wondered why if nothing there
Because there is a difference between a closed port and a filtered port. Deny vs drop. The less of a fingerprint you offer to attackers, the better. It's security by obscurity to an extent, but even a response from a closed port can give away clues about the software, OS and network stack that's running.
On 4/28/16, Green Dream greendream848@gmail.com wrote:
The likes of GRC.COM http://grc.com/ make you think that any port not
blocked... is bad.
I wondered why if nothing there
Because there is a difference between a closed port and a filtered port. Deny vs drop. The less of a fingerprint you offer to attackers, the better. It's security by obscurity to an extent, but even a response from a closed port can give away clues about the software, OS and network stack that's running.
Another reason is that by filtering as root, it requires anything that does happen to eascalate to root and unfilter before being able using any other port. Another some exploit in part of stack responsible for sending the deny. Tradeoff: management overhead, possible lockout of yourself. Backup, practice, document, test.
Thanks +++
Simple really
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Daniel Llewellyn Sent: 28 April 2016 15:35 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] does it make sense to close unused ports at a tor relay with iptables ?
On 28/04/16 14:33, Dr Gerard Bulger wrote:
Currently the rules are thus: -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9051 -j ACCEPT Which opens up those TOR ports on BOTH my IPs, not what I want (OK torrc is listening to the second IP, but that is fiddly to set up for each service)
I want my normal ports to be open on 1st IP and shut on second IP.
to block per IP Address you can amend to use the following form:
-A INPUT -p tcp -m tcp -d <your tor IP> --dport 9030 -j ACCEPT -A INPUT -p tcp -m tcp -d <your tor IP> --dport 9051 -j ACCEPT
P.S. this email is not GnuPG signed because I'm having issues with enigmail, ubuntu, gpg-agent and yubikey
-- Daniel Llewellyn, Bowl Hat PGP/GnuPG Key ID: 0x0349ED21 4C9C BFAD 0069 D679 9660 BCD5 40C2 D958 0349 ED21
tor-relays@lists.torproject.org
-
Daniel Llewellyn -
Dr Gerard Bulger -
grarpamp -
Green Dream -
Tim Wilson-Brown - teor -
Toralf Förster