LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-26-2011, 08:41 AM   #1
Quantumstate
Member
 
Registered: Jun 2005
Location: Seattle, Ecotopia
Distribution: CentOS 7.4 with KDE
Posts: 262

Rep: Reputation: 22
Running Services *Securely* -- chroot and virtualization


I'd like to run a Tor relay, but am trying to understand the security implications.

For some time I've run my torrent client in a VirtualBox virtual machine, which is run as a very non-prived user, bridges directly to The Internets, and writes to one directory on the host. My belief is this is about as secure as it can be, but am open to suggestion.

If I run a relay in the VM it wouldn't be associated with my use of Tor as a client, which is fine since there is no technical need for them to be connected and it's desirable for security.

I read that chroot jails can be broken, particularly when run as root, so I don't really trust that. Also studied a vserver, but it must share the network setup which doesn't strike me as isolated enough.

Suggestions?
 
Old 05-30-2011, 11:23 AM   #2
Quantumstate
Member
 
Registered: Jun 2005
Location: Seattle, Ecotopia
Distribution: CentOS 7.4 with KDE
Posts: 262

Original Poster
Rep: Reputation: 22
Really? No ideas?
 
Old 05-30-2011, 10:23 PM   #3
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Debian testing, KDE

@Quantumstate:

Good question. Why not repost it in Debian User Forums?
Code:
http://forums.debian.net/
 
Old 05-31-2011, 04:59 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
I don't really have a direct answer to your question about isolation and virtualization for Tor. I think a lot of what it comes down to is whether or not you trust the Tor application. In theory, the user's who are transmitting data are not accessing your machine per say. Rather a small amount of encrypted packet traffic is being shuffled through your system by a daemon process that listens for connections on a specified port and forwards them to the next hop. In practice, it would be detrimental to the Tor project to distribute binaries that would allow remote control or access of your system as the project would likely implode upon itself almost immediately upon discovery. If I recall correctly from what I read of the documentation, the project was deliberately designed to prevent this scenario, but it comes down to trusting the three individuals who administer the system and the signing keys for the control nodes. If you received your download from a known, signed source, the likelihood of receiving a compromised application is very small.

Personally, I run a Tor relay node, but not an exit node. After careful consideration, I am not comfortable running an exit node. I run a couple of public facing servers on a static, business grade Internet from one of the larger ISPs in the USA. This makes my traffic more locatable than most, but it is part of the cost of doing business. This is also why I value projects like Tor which allows me to turn off the spotlight on my personal activity when I want to. It is for this reason that I chose to contribute to Tor, yet I am uncomfortable running an exit relay risk to the business reputation.
 
Old 05-31-2011, 06:47 AM   #5
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Noway2 raises some good points, but I still think you should seek feedback on the insecurity of your proposed setup by reposting your question in Debian User Forums.

Last edited by Peufelon; 05-31-2011 at 06:49 AM.
 
Old 05-31-2011, 01:38 PM   #6
Quantumstate
Member
 
Registered: Jun 2005
Location: Seattle, Ecotopia
Distribution: CentOS 7.4 with KDE
Posts: 262

Original Poster
Rep: Reputation: 22
I haven't had alot of luck getting complex questions answered in the Debian forums.

I should think that with the much larger audience here there would be depth of knowledge in this question, but so far no.
 
Old 06-01-2011, 01:18 AM   #7
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Rule 13

@Quantumstate:

I am trying to help you, but you won't let me. Too bad.
Code:
http://forums.debian.net/

Last edited by Peufelon; 06-01-2011 at 01:19 AM.
 
Old 06-01-2011, 03:58 AM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
I believe what he is trying to say is the topic gets into territory that is prohibited by the 13th LQ bulletized rule:
Quote:
Posts containing information about cracking, piracy, warez, fraud or any topic that could be damaging to either LinuxQuestions.org or any third party will be immediately removed
The site forums.debian.net has no such rule. From reading their forum rules, it is even unclear whether it was intended for this type of content to be banned.

Peufelon, if you have any question regarding whether or not the content you would like to post is objectionable under rule 13, you could run it by a moderator and ask for suggestions on how to sufficiently sanitize it.
 
Old 06-01-2011, 08:18 AM   #9
Quantumstate
Member
 
Registered: Jun 2005
Location: Seattle, Ecotopia
Distribution: CentOS 7.4 with KDE
Posts: 262

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by Noway2 View Post
I believe what he is trying to say is the topic gets into territory that is prohibited by the 13th LQ bulletized rule:
Really. So the suggestion is either that
a. Tor has to do with "cracking, piracy, warez, fraud or any topic that could be damaging to either LinuxQuestions.org", or
b. that I am trying to crack Tor by protecting my machine.

Interesting.
 
Old 06-01-2011, 10:12 AM   #10
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
People think very one sided on here when it comes to this. Probably the aspect I hate most about LQ. Well then again I only hang out in security anyway. But yea I've defended a few people over the past because just because they have TOR in their post they get automatically shunned. Ridiculous.

On the other side, if they do automatically shun things like this they are mitigating their risk of posts that go against the rules fairly well. Guess the question comes down to where should the line be drawn.

If you used something like 'VPN relay' instead of TOR I bet you would have gotten a lot more/better responses.

When you take any security classes such as the ones offered from SANS they talk about defense in depth which equates to layers. I think the same principle would apply here. I haven't heard of anyone seeing any unwanted activity from running a TOR relay that wasn't an end node. That doesn't mean it can't happen but just that it hasn't surfaced yet.

I would think something like:

old laptop (in dmz or on it's own vpn) -> selinux -> chroot -> tor relay
or
virtual machine (on a seperate nic) -> selinux -> chroot -> tor relay
or even
virtual machine -> selinux -> chroot -> tor relay

I just like the extra security in there for selinux. Not that it itself hasn't had flaws in the past but it adds another layer.

nomb
 
Old 06-01-2011, 02:06 PM   #11
Quantumstate
Member
 
Registered: Jun 2005
Location: Seattle, Ecotopia
Distribution: CentOS 7.4 with KDE
Posts: 262

Original Poster
Rep: Reputation: 22
Thanks nom, but all of those myst be in my LAN's class C in order to reach the router looking out. I'm pretty happy running a VM bridged to the class C, except it's in the same class C as the rest of my LAN, necessarily so since I have only one router on The Internets.

I am surprised and disappointed at how frightened everyone here is of the rules without understanding what this is all about.
 
Old 06-01-2011, 02:22 PM   #12
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Quote:
Originally Posted by Quantumstate View Post
Thanks nom, but all of those myst be in my LAN's class C in order to reach the router looking out. I'm pretty happy running a VM bridged to the class C, except it's in the same class C as the rest of my LAN, necessarily so since I have only one router on The Internets.

I am surprised and disappointed at how frightened everyone here is of the rules without understanding what this is all about.
I don't know if you are on a laptop or desktop but if you are on a desktop or a laptop with multiple nics you can always dedicated one for your virtual machine then set it up in a vpn on your router so it is segregated from the rest of your lan.

nomb
 
Old 06-01-2011, 07:19 PM   #13
Quantumstate
Member
 
Registered: Jun 2005
Location: Seattle, Ecotopia
Distribution: CentOS 7.4 with KDE
Posts: 262

Original Poster
Rep: Reputation: 22
Two hardwire servers and a wifi laptop, on a Netgear WNDR3700. VPN does not seem to be available on consumer-grade routers, only on ProSafe. Although I'm duly impressed with ProSafe, probably my next router & client cards will be from UBNT given their awesome NanoBridgeM2.

Anyway the router has the WAN connection to the NanoBridge to the far router to the cablemodem, thus is the only way out. LAN is 192.168.11.0 and WAN is 192.168.1.0 (NanoBridge, far router, cablemodem). If I put a switch between the router and cablemodem and joined the separate Tor interface there, my router would still be in the party. Far router doesn't have VPN either, although the NanoBridge does have VPN passthrough.

If I set a second IP on my server's interface for Tor, say 192.168.1.5 the LAN wouldn't know what to do with it, so should forward it out the default route to the NanoBridge. Problem is I need to port-forward in the far router so the Tor daemon can serve. Have the NanoBridge in bridging mode so shouldn't have to port-forward there.

Struggling...

Last edited by Quantumstate; 06-01-2011 at 07:26 PM.
 
Old 06-02-2011, 04:24 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Peufelon View Post
(..) I still think you should seek feedback on the insecurity of your proposed setup by reposting your question in Debian User Forums.
Unless enough time has passed and LQ hasn't shown any support slash expertise please don't redirect to other forums and certainly not repeatedly. If you do then advertising a remote forum once is OK, twice is pushing it but thrice really is overkill.


Quote:
Originally Posted by nomb View Post
People think very one sided on here when it comes to this. Probably the aspect I hate most about LQ. Well then again I only hang out in security anyway. But yea I've defended a few people over the past because just because they have TOR in their post they get automatically shunned. Ridiculous. On the other side, if they do automatically shun things like this they are mitigating their risk of posts that go against the rules fairly well. Guess the question comes down to where should the line be drawn.
I remind you (all) that any member may question the validity of a post and report potential transgressions but only moderators will tell you (all) if a LQ Rule violation has taken place. Since the OP doesn't contain questions about circumventing (network) access restrictions, penetration testing, cracking or warez peddling so far there is no LQ Rule violation, period. So y'all please focus on what's asked, TIA.



Quote:
Originally Posted by Quantumstate View Post
(..) trying to understand the security implications. (..) If I run a relay in the VM it wouldn't be associated with my use of Tor as a client, which is fine since there is no technical need for them to be connected and it's desirable for security. I read that chroot jails can be broken, particularly when run as root, so I don't really trust that. Also studied a vserver, but it must share the network setup which doesn't strike me as isolated enough.
IMO Noway2 and nomb already addressed host and service security but I should point you to the official documentation and particularly How to Run a Secure Tor Server (documentation index) as, apart from chrooting, there don't seem to be any specific security-related questions in your OP. As for chrooting and TOR (and of course having read the often-cited paper) TOR doesn't run as root by default apart from executing the binary at startup and drops root rights running under in the unprivileged "tor" user account. Looking at the 2010 / 2011 CVE entries for TOR (also see the TOR bug tracker) you see the majority of issues have been with potential denial of service situations and only one entry is about possible arbitrary code execution so I second the suggestion of using an Operating System or distribution with additional security features like SELinux as it curbs excessive access rights and has proved it can contain breaches of security. However from your latest reply:
Quote:
Originally Posted by Quantumstate View Post
(..) my router would still be in the party. Far router doesn't have VPN either (..) LAN wouldn't know what to do (..) I need to port-forward in the far router so the Tor daemon can serve.
it seems you're not as much interested in host and service-related security issues as in network-related ones making this seem more like a network issue.
If that is indeed the case then I'd suggest you create a new thread for that in the Networking forum.
 
Old 06-02-2011, 10:53 AM   #15
Quantumstate
Member
 
Registered: Jun 2005
Location: Seattle, Ecotopia
Distribution: CentOS 7.4 with KDE
Posts: 262

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by unSpawn View Post
IMO Noway2 and nomb already addressed host and service security but I should point you to the official documentation and particularly How to Run a Secure Tor Server (documentation index) as, apart from chrooting, there don't seem to be any specific security-related questions in your OP.
Eh? The overarching question is how to run a relay (in fact any daemon) securely. I suggested my ideas, which each have flaws, and now I have a more complete list:

- chroot jail can be broken by a skilled cracker.
- VirtualBox VM bridged to LAN still must share the LAN class C, and could potentially monitor internal traffic. (And please don't quibble with me calling it a class C... they have to make up a name and stick with it. I still call Nissan's a Datsun)
- VPN to router, most routers do not have VPN functionality, only the business-class like ProSafe.



Quote:
Originally Posted by unSpawn View Post
As for chrooting and TOR (and of course having read the often-cited paper) TOR doesn't run as root by default apart from executing the binary at startup and drops root rights running under in the unprivileged "tor" user account.
Thank you. But be advised that it's usually a matter of only a few weeks between local privilege escalation exploits for Linux are published on lists like Full-Disclosure, and those are just the ones that are not sold. Security boundaries on shared commodity hardware have almost always turned out to be ineffective. They're a myth, like Santa Claus, one that basically honest and good-natured people agree to believe in because of the huge cost savings it enables (over having to purchase separate hardware for every category of data).

But this latest round of virtualization technology is holding up better than I'd expected. Looking like a VM is a good start.


Quote:
Originally Posted by unSpawn View Post
However from your latest reply:
it seems you're not as much interested in host and service-related security issues as in network-related ones making this seem more like a network issue.
If that is indeed the case then I'd suggest you create a new thread for that in the Networking forum.
Eh? The overarching question is how to run a relay (in fact any daemon) securely. It is a systems question, which happens to include networking.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Running applications in a Chroot Gavin Harper Slackware 2 01-15-2011 03:14 PM
Virtualization, Terminal Services & Thin Clients jescka LinuxQuestions.org Member Intro 1 01-13-2008 01:18 PM
Chroot Services XaViaR Linux - Security 6 11-09-2005 09:20 AM
mysqld doesn't chroot securely markus1982 Linux - Security 12 03-07-2004 08:07 PM
ntop running with chroot? bugsland Linux - Software 0 01-07-2003 05:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration