Hardening Tor server

hack3rcon · August 7, 2023, 11:53am

Hello,
What firewall (iptables) rules are appropriate for a Tor bridge server?

Thank you.

WofWca · August 12, 2023, 2:39pm

I’m not sure what “appropriate” means here. What do you want to achieve?

hack3rcon · August 19, 2023, 7:58pm

Hello,
Thanks again.
Can you show me an example of Tor bridge firewall rules?

esev · August 21, 2023, 5:18am

You can follow this answer: centos - Iptables rule to allow only one port and block others - Unix & Linux Stack Exchange

Use your bridge’s ServerTransportListenAddr port where it says allow your application port. Remove the SSH and Ping sections if you want.

boldsuck · August 24, 2023, 3:22am

For static IP dual stack nft- & iptables examples in my git:
https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc
Adjust obfs4 & ORPort.

hack3rcon · September 5, 2023, 1:16pm

Hello,
Thank you so much for your reply.
No, you can’t disable Ping. If you do this, your Tor server will not work properly. I had this problem.

hack3rcon · September 5, 2023, 1:16pm

Hello,
Thank you so much for your reply.
Do you mean this?

boldsuck · September 6, 2023, 7:06am

Yes, these are the ipv4 tables rules. I forked this from coldhak back then and updated it for current Debian distries. For SSH I added commented examples. E.g. rate limit under DDOS or if you have several IPs on the server, only allow SSH on one.
ICMP Ping is rate limited.

I switched all systems to nftables and only allow some IP SSH access.

table inet filter {
	set ssh_whitelist_v4 {
		type ipv4_addr
		size 65535
		flags interval
		counter
		elements = { my ISP IP subnets }
	}

	set ssh_whitelist_v6 {
		type ipv6_addr
		counter
		size 65535
		flags interval
		elements = { my ISP IPv6 subnets }
	}

    chain input {
        # By default, drop all traffic unless it meets a filter
        # criteria specified by the rules that follow below.
        type filter hook input priority 0; policy drop;
8<
    ...
>8
        # Allow SSH on port 22 but only from whitelist
        ip saddr @ssh_whitelist_v4 tcp dport 22 counter accept
        ip6 saddr @ssh_whitelist_v6 tcp dport 22 counter accept
    }

hack3rcon · September 6, 2023, 1:03pm

Hello,
Thanks again.
The coldhak used Fail2ban service. Your iptables rules seems good and I think the important things are:

1- Leaving the Tor port open for clients to connect

2- Allowing loopback

3- Limiting SSH connections and Ping requests

boldsuck · September 6, 2023, 3:39pm

This is ancient. Fail2ban has been entering the rules itself for years. The rules are otherwise duplicate, so I deleted that.
Btw, in my nft version I threw out fail2ban. On the one hand, I only whitelist some subnets for SSH. On the other hand, I’m starting to hate f2b bc. junior admins configure auto-generated abuse. This makes f2b worse than spam. Some 100/day automated abuse reports from Fail2Ban & x-arf I redirect to /dev/null.

hack3rcon · September 7, 2023, 1:38pm

Hello,
Thanks again.
Can you rewrite your new rules from nftables to iptables?

tor-D · September 27, 2023, 7:59am

Fail2ban is quite good to block brute force attacks. You can also disable root login and change port.

hack3rcon · October 23, 2023, 10:47am

Hello to all,
Are these iptables rules enough for a Tor proxy?

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -s 172.21.50.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT

Thank you.