Is security-misc suitable for hardening bridges and relays?

I run a few bridges and relays (they are VPS with Debian). I was wondering whether installing the security-misc package could be a good idea in order to harden their configuration. Suggestions? Hints? Previous experiences? Am I going to break my beloved relays?

Thanks and sorry for the kind of generic question.

This post talks about the status:


It shouldn’t™ cause any grave issues unless you do the extra stuff documented on https://www.whonix.org/wiki/Whonix-Workstation_Security_Hardening

Although, we can’t be sure as we don’t have that much testing as described above.

Hello both and thanks for your kind replies. Apologies for the late answer but I have been kind of busy today.

Well, I tried to install security-misc on a private relay I am running for testing purposes. After the reboot when I tried to become root (using ‘su’) with my normal user. Unfortunately the system said “User not authorized” (or something like that, I do not remember exactly). Not sure why this happened.

Also, since my normal user was not in the sudoers list I was not able to become root AT ALL :rofl: :rofl:

Not a great problem, I just reinstalled from scratch the system. For now, I think that I will just copy and paste the kernel parameters in /etc/sysctl.d, testing them line by line. Not very comfortable, but it is better than reinstall my system one more time.

Thanks for your answers.

1 Like

security-misc restricts su only to users within the sudo group. You need to add your user to the sudo group.

security-misc does much more than change some sysctl settings.

1 Like

Since all my systems have some user with sudo this use case was not considered. Indeed. Installation currently might brick a system until recovered using:

What could we do to solve the bricking risk? A preinst script that checks if at least one user is in group sudo and abort installation if that is not the case? Not sure that can be implemented but guess yes.

1 Like

Maybe just put a warning in the readme.

Hello both,
thanks again for your answers and suggestions. I think security-misc on a relay worth another try. As madaidan correctly pointed out this package is not just kernel settings. So, I added my user to the sudoers group and everything seems to be alright now.

I am testing the relay and I am not experiencing any particular issue in term of latency, but yeah, I have just started. Is there any test you suggest to run (a part use on a daily basis)?

1 Like
1 Like

I have been testing security-misc for more than a week on public/private bridges and a couple of onions I run. I have not experienced any problem at all. No drops in number of daily users, no drops in advertised bandwidth, not even a connection slower than usual. Nothing is changed (which generally is good).

Obviously, I do not think that my daily use can be considered as valuable technical data in order to assess whether security-misc is suitable or not for bridge/relays/onions. Again, if there are tests to run or parameters to monitor, I will be glad to look after them.

It could be good to keep testing security-misc in this perspective. As everybody know, the Tor network has a huge problem in term of OS diversity. Security-misc does not solve it, but could be useful in order to provide some security-by-default to the thousands of relay operators running Debian in order to contribute to the network.

Or not?

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]