Delivery-Date: Fri, 05 Feb 2016 22:30:49 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 802531E0329;
	Fri,  5 Feb 2016 22:30:47 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 6F1E0391A4;
	Sat,  6 Feb 2016 03:30:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 7464F39198
 for <tor-talk@lists.torproject.org>; Sat,  6 Feb 2016 03:30:39 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id FyUc25MEKx3r for <tor-talk@lists.torproject.org>;
 Sat,  6 Feb 2016 03:30:39 +0000 (UTC)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com
 [IPv6:2607:f8b0:400e:c03::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 340433918D
 for <tor-talk@lists.torproject.org>; Sat,  6 Feb 2016 03:30:39 +0000 (UTC)
Received: by mail-pa0-x22f.google.com with SMTP id cy9so43917051pac.0
 for <tor-talk@lists.torproject.org>; Fri, 05 Feb 2016 19:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=disposition-notification-to:return-receipt-to:in-reply-to
 :references:mime-version:content-type:content-transfer-encoding
 :subject:from:date:to:message-id;
 bh=BleyG4skww0f2dHMMrUG08elzQphllr0hBOOJOiNr88=;
 b=f2yE66w2KdS/XLjijzlRSe64gOYOpin/Kyhjr+qeVycudoPZVx+ll4e4lKAshJ4DKY
 40+9FinZDgD4fvC1ZfPc9rS8ZhIoA6e4o4kL78eO7zZus/eBUBw+Y+m/pnzooR+KB+/G
 qMJltYFKxpWJapxoMAGHu43OKHVxUHGWtEwfiGthbLfWVk8HldMUgoOWVYD3MKDZskgS
 qzensBd/NSNnF0xCu2JnpemhjMR/r3sUpVxNz/ktJ4JVFBJ+Y+D2+cRlDNVHtkl3Fkw6
 cwKprilUG2G4D8Bh1/H0+gIgDg6zSqB6RA+nwqtvR66hjaqfYvhunRUILKAev2l0u8xw
 oB+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:disposition-notification-to:return-receipt-to
 :in-reply-to:references:mime-version:content-type
 :content-transfer-encoding:subject:from:date:to:message-id;
 bh=BleyG4skww0f2dHMMrUG08elzQphllr0hBOOJOiNr88=;
 b=eDtUzDDuxtgnaolotbH+4qcRG5/jh1b+AnkYapqOWT23KNZsmmvmUK5i/O7zTPjVn/
 mpHltzMw8bC3jOj6xfS2hGe0F+3WEZfxbscBzbOREbbXy5pzQgMgPxrO891IXoGPIInq
 MK+4DCu7X0w7lAtxXTN3KpkoNunjtyn+X4QhslMUVmb4OfCwUnETsEBVRyAqduMw4Qhw
 vSy0165PXipzFJuCHd931L0JgM/soSL6qGEy5DjUsWz92E60w+r8NQk2DCoSs1ccGQhe
 Ia4io1KQPFuA0u3aQf99poLyaKoU7Ov4xlNyf2DdIDTA8uV2y4Bg2GW4DgE5OX+4eNI7
 FPZw==
X-Gm-Message-State: AG10YOQC+GCwVyB4by6aQRxLwb1w40NHebNT2eWmgnhz9srv9FJcCMXIUMIcPv5SjHvRcg==
X-Received: by 10.66.155.167 with SMTP id vx7mr24880601pab.109.1454729436726; 
 Fri, 05 Feb 2016 19:30:36 -0800 (PST)
Received: from [192.168.3.128] (c-76-22-98-172.hsd1.wa.comcast.net.
 [76.22.98.172])
 by smtp.gmail.com with ESMTPSA id ty5sm27393861pac.48.2016.02.05.19.30.35
 for <tor-talk@lists.torproject.org>
 (version=TLSv1/SSLv3 cipher=OTHER);
 Fri, 05 Feb 2016 19:30:35 -0800 (PST)
In-Reply-To: <CAJVRA1Tx0fqoQMQr1H0+M0yW2=TW7uU_8RxyeNN_ADT_JrRsrQ@mail.gmail.com>
References: <0C175F9B-9446-41E7-9479-A52E3589F379@gmail.com>
 <CAJVRA1SX3wFFm519DXQsYcRYSkRbzJDXJGe+ctj=V1Yeon47yg@mail.gmail.com>
 <C70326E8-0427-4D41-9B0D-4F7D0767D4E1@gmail.com>
 <CAFN1edpi8F=7rGz5HVk5KMFPPLGrgnYCsAarVQMno0AdeRaZ6Q@mail.gmail.com>
 <C83CD66C-0737-421D-8F24-C128A698BEC9@gmail.com>
 <CAFN1edrZn0pMAAsYYkBJrThdxMgVpOsw3xtwXyYTTH+okKkVOg@mail.gmail.com>
 <9C7C7D1C-06A3-4589-923F-C8C50BC222A4@gmail.com>
 <CAFN1edrawns_+LTOAnjs4_VAikKm4A1t9CU+3FrEW_YkAXnjeA@mail.gmail.com>
 <CAJVRA1T778ANkQwTZ6qFwAhxCxUfXpp=ZAYuU9K1WY+_HzKWeQ@mail.gmail.com>
 <C7FBA10B-7C46-4464-AF60-EAA715B5A70C@gmail.com>
 <CAJVRA1Tx0fqoQMQr1H0+M0yW2=TW7uU_8RxyeNN_ADT_JrRsrQ@mail.gmail.com>
MIME-Version: 1.0
From: Michael <strangerthanbland@gmail.com>
Date: Fri, 05 Feb 2016 19:31:10 -0800
To: "tor-talk@lists.torproject.org" <tor-talk@lists.torproject.org>
Message-ID: <2D4AF83F-2ACC-46C4-88D8-820B24ABDE86@gmail.com>
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Scripted installer of Tor and more being worked on
	at GitHub, ya may want to sit down for this...
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Cool, I'll be setting some of that up in the next few pushes 
for fail2ban configurations, likely after fleshing out the 
firewall scripting more as they'll use similar matching 
statements for ports. I'll be setting a default of 10 minuets 
(600 seconds) for ban times and have commented lines 
printed under each configuration block for easy modifying 
after script run time.

I looked into Python and some of the steps to go through 
on translation to another language, there doesn't seem to 
be an effective way of translating case/switch statements; 
lots of discussion and workarounds. Ruby is looking to be 
a simpler switch and I may pursue this as an alternative. 
Either way I'll be sharing notes on how I'd translate 
portions in the Wiki as I find good examples. For Python
it looks like a lot of rewriting case statements into if/elif
but for Ruby it looks like a few syntax changes and the
use of `put` or `printf` in place of `echo` for reading out 
info to the user.

I've also been looking further into encrypted partitions for 
chroot jails via `dm-crypt` but have yet to find a solid way 
of setting the first passphrase through a script (unless 
piping an echo of it is acceptable); everything else is well 
documented enough to script though and I'm already 
working on how best to scrub the 
`/${USER?}/home/.bash_history` 
and other logs of script runtime information that is sensitive.
I could use suggestions as to whether or not encrypting a 
chroot jail fully or just specific directories would be 
preferred; ie just a user's home directory or a web 
server's jail? Either way I'll also have to leave notes in the 
logs on how to resize encrypted partitions &/or write a 
wrapper for doing the task within the main script pack; 
looks like the difference between `>` and `>>` on whether 
or not a partition is overwritten or appended to when 
expanding. If there are suggestions on `dm-crypt` 
options, ie algorithms, partition size defaults, whether or 
not to use `/dev/random` or `/dev/urandom`..., that 
should be default behavior I'm all ears before I get into 
drafting this part up. 


On February 1, 2016 4:20:01 AM PST, coderman <coderman@gmail.com> wrote:
>On 2/1/16, Michael <strangerthanbland@gmail.com> wrote:
>> ...
>> My last question (for now) has to do with Fail2Ban and hidden
>services.
>>
>> My question is would you all prefer that separate jail.local
>configuration
>> blocks be written for each Tor service port individually, ei failing
>one
>> port
>> doesn't ban from a possible second hidden service port, or is a fail
>one
>> ban'em all sufficient?
>
>please allow a single default jail.local to be used in one or any Tor
>service port configurations, including hidden service port
>configurations.
>
>then also allow each distinct configuration (IP:port, unix_domain,
>etc) of any Tor service configuration to be blocked individually.
>
>the latter is very useful for power users / multiple onion service
>operators who use service isolation intentionally to mitigate concerns
>of directed attacks, denial of service, or related risks.
>
>(there might be a better way than a sane default, with optional
>per-endpoint limits; that's my favorite approach to this question for
>now.)
>
>
>best regards,
>-- 
>tor-talk mailing list - tor-talk@lists.torproject.org
>To unsubscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

