add Vanguards
Closed this issue ยท 5 comments
Even after deployment of the new v3 onion service protocol, the attacks facing onion services are wide-ranging, and still require more extensive modifications to fix in Tor-core itself.
Because of this, we have decided to rapid-prototype these defenses in a controller addon in order to make them available ahead of their official Tor-core release, for onion services that require high security as soon as possible.
https://github.com/mikeperry-tor/vanguards#running-this-addon-directly-from-git
This is for the controller, so I think it is good to be added.
I have a script that runs from git, creates a systemd service for vanguards to execute the python script. I still want to enhance it to be a menu option to show logs, install, remove, start, stop, but that is the last part after all things are ready.
Would be good to enhance the log check with vanguards logs
Important part:
Want this?
Default installation or optional installation?
This looks interesting. It is very easy to enhance the log check with vanguards logs because log_check.py is working with al kind of logs.
Want this? -> YES
Default installation or optional installation? -> First for testing as an optional installation, later maybe as default.
I will add commit hash to not run directly from the git repo, but to reset til specified commit.
Also will add sudo -u debian-tor git clone.
DONE
I integrated the pull request and ran some first tests. I guess the fact that Raspberry Pi OS and Debian is a little bit different complicates some things. Here are some questions and issues with the installation of Vanguards:
sudo -u debian-tor reset --hard ${VANGUARDS_COMMIT_HASH}-> Necessary? Why not just grab the latest version of the master branch?sudo mv vanguards /var/lib/tor/-> Error! What do you want to copy to/var/lib/tor/? The entire cloned vanguards repository? Is that really necessary?sudo cp /var/lib/tor/vanguards/vanguards-example.conf /var/lib/tor/vanguards/vanguards.conf-> should be in/etc/tor/
I think the installation of Vanguards could be moved to the installation script, but the activation shouldn't be by default yet. Nevertheless, this could be a little bit tricky with Ubuntu.
- VANGUARDS_COMMIT_HASH
- Depends on your security level
- If github user is compromised and malicious commit is merged mainstream, this could be an attack vector. Setting commit hash makes the developer review (or incite to review) the code till that commit for good security measure.
- mv vanguards /var/lib/tor/
- Yes, the entire cloned repository.
- I don't know which file should not be included in the folder, so I move everything. Also, easier to
git fetch.
- vanguards.conf should be in /etc/tor/
- Here you are right, the systemd is searching for that inside /etc/tor. That is the path for the deb package of vanguards, but it could be in the current working directory. From the README:
Configuration files can be specified on the command line. The default is to read vanguards.conf from the current working directory. If the environment variable $VANGUARDS_CONFIG is set, the config file will be read from the file specified in that variable.
Thank you for the review, learned a lot and seeing how you implemented the service and menu, will be more familiarized with doing the TorBox design next time.
Line 101 in 86de2c6
Maybe if
-d $VANGUARD_DIR exists, then just git fetch and restart the service to update?Implemented with TorBox version 0.4.2!