Re: [tor-relays] Blocking outbound 22 or no?
Am 05.10.2017 19:08 schrieb AMuse: Hi all! I'm getting a number of ISP Abuse complaints around outbound ssh brute-forcing from our exit relay. I'm personally of the opinion that people should run fail2ban (or equiv) and get on with life and I generally ignore the complaints - but wondered, what are other operators doing? Is anyone exit-policy blocking outbound 22 to make the internet a kinder place? Is anyone refusing to on principle? I'm generally refusing to block ports on my exit relay. Tor is supposed to be an overlay network and I love to be able use it for anything TCP :) I personally think the internet would be a kinder place if all ports would be open on exit relays, making the most out of the Tor network... And if all kinds of people would use Tor, even if they don't directly know it. (I'd love to see it integrated in the Gnome Desktop for example) That said, I had to disable port 25 some time ago, but I did do so after quite some discussions with my ISP and will ask again about enabling it. They had one semi-valid fear about email spam, but that's a different story. thanks martin ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Blocking outbound 22 or no?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/05/2017 08:55 PM, tor-relay.d...@o.banes.ch wrote: > In the end we disabled port 22. After all - any sysadmin who wants > to have peace and ever looked a ssh config will have its listen > port somewhere else than 22. +1 disabled exit pot 22 here long time ago. - -- Toralf PGP C4EACDDE 0076E94E -BEGIN PGP SIGNATURE- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWdan3RccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTkI2AP9XMFbHoMeF9JKXVZsWM/45AiTK X3FqRZlSmWIlvR+iswD/UMHgiDQAKChAq6bvl3Mo+HqN9V4IvQgOEuiAuQ4ZZrk= =Impi -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Blocking outbound 22 or no?
Good Evening, What Dirk just described is exactly what happened here. Timeframe matches and i disabled port 22 as well. Adjusting the port for your own system seems to be a good idea and it is working very well for me. -- Sincerely yours / M.f.G. / Sincères salutations Sebastian Urbach --- Those who surrender freedom for security will not have, nor do they deserve, either one. --- Benjamin Franklin (1706-1790) Am 5. Oktober 2017 20:55:54 schrieb tor-relay.d...@o.banes.ch: Hello AMuse, we faced the same about 1-2 month ago. Actuall people use fail2ban which creates abuse mails to you provider. Thats not new. But recently the abuse mails have risen to numbers which lead us to believe there are acutally more people abusing ssh via tor than people really using it. In the end we disabled port 22. After all - any sysadmin who wants to have peace and ever looked a ssh config will have its listen port somewhere else than 22. best regards Dirk On 05.10.2017 19:08, AMuse wrote: Hi all! I'm getting a number of ISP Abuse complaints around outbound ssh brute-forcing from our exit relay. I'm personally of the opinion that people should run fail2ban (or equiv) and get on with life and I generally ignore the complaints - but wondered, what are other operators doing? Is anyone exit-policy blocking outbound 22 to make the internet a kinder place? Is anyone refusing to on principle? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Quintex Exit Relays
All, I am performing some operating system upgrades and my exit nodes may be down for a period of time. Just a heads up. John ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Blocking outbound 22 or no?
Hello AMuse, we faced the same about 1-2 month ago. Actuall people use fail2ban which creates abuse mails to you provider. Thats not new. But recently the abuse mails have risen to numbers which lead us to believe there are acutally more people abusing ssh via tor than people really using it. In the end we disabled port 22. After all - any sysadmin who wants to have peace and ever looked a ssh config will have its listen port somewhere else than 22. best regards Dirk On 05.10.2017 19:08, AMuse wrote: > Hi all! I'm getting a number of ISP Abuse complaints around outbound > ssh brute-forcing from our exit relay. > > I'm personally of the opinion that people should run fail2ban (or > equiv) and get on with life and I generally ignore the complaints - > but wondered, what are other operators doing? > > Is anyone exit-policy blocking outbound 22 to make the internet a > kinder place? Is anyone refusing to on principle? > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Blocking outbound 22 or no?
Hi all! I'm getting a number of ISP Abuse complaints around outbound ssh brute-forcing from our exit relay. I'm personally of the opinion that people should run fail2ban (or equiv) and get on with life and I generally ignore the complaints - but wondered, what are other operators doing? Is anyone exit-policy blocking outbound 22 to make the internet a kinder place? Is anyone refusing to on principle? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Feedback wanted: letter to my university's library
Kenneth Freeman wrote: > > > On 10/03/2017 11:31 PM, Scott Bennett wrote: > > > They have refused to let me speak with those making the decisions about > > what is provided on their public computers, much less to make an organized > > presentation to them. I was told that the decisions about software on the > > computers are made by the library board, not even by the IT staff. What is > > a good approach to get better results? I am at a loss as to how to get the > > library to emerge from the stone age into the age of the Cheka, much less > > that of the NSA, FSB, search engine profilers, botnets, packet sniffers, > > spyware, etc. > > One might think that providing the Tor browser would be a no-brainer, > but that's not the case in the Boise Public Library system. The Here, assuming that they have living brains may be unwarranted. > bureaucratic inertia is a very real thing, so good luck getting them to > install relays and exits too! First things first. > I have never asked them to do any such thing. All I've asked for was the clients. The answer has simply been "No" with no explanation whatsoever provided. Sorry to hear that the Boise library is also in the Dark Ages. :--( Be careful not to get burned at the stake. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] AU Relays and data retention
> Paul wrote > I did speak to a lawyer and there is no requirement to retain any data if > you run a node. It's treated as a VPN. > > My question that I sent was more about whether a service (non commercial > service) was exempt. > They don't delineate. > Thank you for setting us straight. Robert ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] AU Relays and data retention
teor wrote: > > > On 4 Oct 2017, at 22:52, teor wrote: > > > > But I'm not a lawyer, so you should get your own lawyer. > > Or run a relay outside Australia. > > Or run an exit, because exits never know client IP addresses. > All they know is the destination. And internet destinations are > excluded from Australia's retention regime. > That might not be good enough. An Exit node can also be an entry point to the tor network. An Exit node can also even be a Guard node. Also, an exit node need not be an Exit node, depending upon the particular ExitPolicy involved. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Feedback wanted: letter to my university's library
William Denton wrote: > On 4 October 2017, Scott Bennett wrote: > > > Let me give an example. I have for at least ten years asked my local > > public library to provide a) a secure shell client, b) a secure web browser > > for ordinary use where anonymity is not a concern, c) a secure FTP client, > > and d) the TBB for use by those who desire anonymity. They have always > > refused to budge. They run an unsecurable OS on their public computers. > > They > > provide only Internet Explorer for web access. I'm unsure whether they > > still > > allow any FTP access at all. As you can imagine, they have severely limited > > the usefulness of their computers to the library patrons they claim to > > serve. > > I could not, for example, submit my on-line application to renew my flight > > instructor certificate via the library's computers. * I missed a beat here. The procedure for renewing a flight instructor certificate on-line includes an FAA requirement to "digitally sign" the web- based application for renewal. The procedure is a farce that bears no resemblance to what the security community understands to be a digital signature. That also means that the FAA may *not* be in compliance with the federal government's own standard http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) The fact that the FAA's system is not in compliance with the above referenced federal standard means that the FAA may possibly be in violation of the Computer Security Act of 1987 and/or the Information Technology Reform Act of 1996. But it was recommended to me by [identity withheld] that I *not* contact the FAA to point out this problem to them in hopes of getting them to correct it because they *allegedly* might revoke my instructor certificate for not "properly" representing the FAA's view of things. IOW, representing the NIST's [correct] view of things could get me punished by the FAA. I stress here that I do not know whether that recommendation was accurate in its claim, but I think it clearly illuminates the climate of fear and distrust that exists toward all levels of government in the USA these days. If simply posting this here gets my CFI revoked, I will (attempt to) let you know. (Actually, I'm not terribly worried, but I have to admit to the possibility.) > > They have refused to let me speak with those making the decisions about > > what is provided on their public computers, much less to make an organized > > presentation to them. I was told that the decisions about software on the > > computers are made by the library board, not even by the IT staff. What is > > a good approach to get better results? > > I fear there is nothing you can do. If they're like that, it's not going to > change until there's a new chief librarian or head of library IT. Public > libraries can be terrible for problems like this. When the right person is > in > the right job, they can move fast and experiment, but that's rare. When a > library thinks offering only IE is the right thing to do, Tor must terrify > them. I was afraid that would be the response a presumably honest, IT-aware librarian might give, but I didn't know until now. Sigh. Thanks for the clear answer. :-( FWIW, my guess is that the board is way too clueless to be terrified, but rather that they simply are so hostile to any change, especially when proposed by someone not a library employee, that they simply cannot permit it, regardless of any other considerations. That's, again, only my guess, but I'm somewhat attached to it by experience. :-> > > But if you can't speak to the public library board there's a problem much > bigger > than what they run on their computers! That is just not right. Public My thoughts exactly. > libraries have to be responsible to their public. Could your city councillor This is Illinois. "Governmental bodies" and "responsible to their public" are incompatible sentencemates here. Please try your luck again. (Hint: land (,re}development deals are often viewed favorably.) This is the state that requires budgets to be balanced, but where lack of *any* budget for nearly three fiscal years was not considered a breach of the state constitution. > help? The local newspaper? My city councilcritter has generally been unreceptive to my suggestions on all issues I have ever discussed with him. The local newspaper was bought up long ago by one of the media oligarchs. It is marginally useful for local news only, but not at all worth its price. Most people don't bother with it, so even if the handful of local reporting staff and editor were agreeable, it would likely matter not a whit. Much there has changed unrecognizably since the days before it was bought out. > > Good luck! It's a shame your local library is ignoring someone with your > expertise. > Thanks, Bill. Perhaps talking these things up with local social activists with more energy than I have these days m