Nice thread. in my case (tor exit node):
Output only security connections;
ExitPolicy accept *:22
ExitPolicy accept *:443
ExitPolicy accept *:465
ExitPolicy accept *:995
ExitPolicy accept *:993
ExitPolicy reject *:*
Block all output like http and smtp in my netfilter (Gnu Linux);
-A OUTPUT -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -p tcp -m tcp --dport 110 -j DROP
etc ..
I had problems with portscan originated in my output. Even without
ExitPolicy accept
EX:
Dear Sir/Madam,
We have detected abuse from the IP address MYIPADDRESS, which according to
a whois lookup is on your network. We would appreciate if you would
investigate your logs and take action as appropriate.
Log lines are given below, but please ask if you require any further
information.
(If you are not the correct person to contact about this please accept our
apologies - your e-mail address was extracted from the whois record by an
automated process.)
Regards,
Critical Path, Inc.
Note: Local timezone is + (GMT)
Jan 15 16:03:00 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:07 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:11 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:14 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:17 65.20.0.47 pop3: Failed password from MYIPADDRESS
Jan 15 17:40:18 65.20.0.47 pop3: Failed password from MYIPADDRESS
**
- END
to keep me in a comfort zone, I installed OSSEC. OSSEC is an Open Source
Host-based Intrusion Detection System that performs log analysis, file
integrity checking, policy monitoring, rootkit detection, real-time
alerting and active response.
example of my latest incidents:
OSSEC HIDS Notification.
2014 May 23 11:45:44
Received From: darkstar-/var/log/messages
Rule: 1002 fired (level 2) - Unknown problem somewhere in the system.
Portion of the log(s):
May 23 12:45:44 darkstar kernel: tor: page allocation failure. order:0,
mode:0x20
--END OF NOTIFICATION
'm Slowly creating rules (regular expressions) to OSSEC for the Tor messageand
treating facilities.
On Thu, May 22, 2014 at 2:31 PM, Paul Staroch paulc...@rueckgr.at wrote:
Am 2014-05-22 02:23, schrieb Contra Band:
# Allow incoming 9050
iptables -A INPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j
ACCEPT
# Allow outgoing 9050
iptables -A OUTPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j
ACCEPT
# Allow incoming 9051
iptables -A INPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j
ACCEPT
# Allow outgoing 9051
iptables -A OUTPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j
ACCEPT
Do you actually need remote access to ports 9050 (Socks proxy) and 9051
(control port)? By default, Tor opens these ports on the loopback interface
only.
Paul
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
Noilson Caio Teixeira de Araújo
https://ncaio.wordpress
http://ncaio.ithub.com.br.comhttp://ncaio.ithub.com.br
https://br.linkedin.com/in/ncaio http://br.linkedin.com/in/ncaio
https://twitter.com/noilsoncaio
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
