Re: [tor-relays] ssh request from Virgin Media (Liberty Global)

[klarheit]

Apr 5, 2021, 10:34 by cristiano...@gmail.com:

> I have a Relay and a Bridge up and running with ssh password disabled, ssh 
> port changed and fail2ban installed.
>
> With that I noticed that one particular IP was trying to ssh my both machines 
> and that IP belongs to Liberty Global, an Anglo-Dutch-American 
> telecommunication company which is owner of the Virgin Media, UPS and 
> Vodafone.
>
> I was wondering, why is this company trying to ssh my Tor machines? 
>

It could be an exposed router on their network someone is using to probe you.  
Just ban like your currently doing, restrict to specific IP, and/or change your 
Ssh port is about all you can do.  Ssh scanning bots out there are as numerous 
as plankton it seems. XD
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] ssh request from Virgin Media (Liberty Global)

[William Kane]

It might not belong to Liberty Global itself even though it was
registered as such but to one of their subsidiaries, likely Virgin
Media or Vodafone.

Random SSH probes happen very frequently, it's nothing to worry about
if you deny root login, force public key (Ed25519 if your version of
sshd supports it) authentication and make use of the AllowUsers config
variable.

Fail2Ban is useless bloatware in my opinion, you can do the same with
iptables natively.

- William

On 05/04/2021, Cristiano Kubiaki Gomes  wrote:
> I have a Relay and a Bridge up and running with ssh password disabled, ssh
> port changed and fail2ban installed.
>
> With that I noticed that one particular IP was trying to ssh my both
> machines and that IP belongs to Liberty Global, an Anglo-Dutch-American
> telecommunication company which is owner of the Virgin Media, UPS and
> Vodafone.
>
> I was wondering, why is this company trying to ssh my Tor machines?
>
> Has anyone else noticed this?
>
> I am afraid to share the company IP here because they could be here on this
> list and they could use one IP to target on specific subject and if I
> disclose that IP they could find me out 
>
> It’s just a FYI.
>
> Stay safe.
>
>
> --
> Cristiano Kubiaki
> Telegram  | LinkedIn
>  | Twitter
> 
> ITIL - MCP - MCDST - MCTS - DCSE
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] ssh request from Virgin Media (Liberty Global)

[gerard]

Surely it is one of their customers….. 

 

 

From: tor-relays  On Behalf Of 
Cristiano Kubiaki Gomes
Sent: 05 April 2021 16:34
To: tor-relays@lists.torproject.org
Subject: [tor-relays] ssh request from Virgin Media (Liberty Global)

 

I have a Relay and a Bridge up and running with ssh password disabled, ssh port 
changed and fail2ban installed.

 

With that I noticed that one particular IP was trying to ssh my both machines 
and that IP belongs to Liberty Global, an Anglo-Dutch-American 
telecommunication company which is owner of the Virgin Media, UPS and Vodafone.

 

I was wondering, why is this company trying to ssh my Tor machines? 

 

Has anyone else noticed this?

 

I am afraid to share the company IP here because they could be here on this 
list and they could use one IP to target on specific subject and if I disclose 
that IP they could find me out 

 

It’s just a FYI.

 

Stay safe.

 

 

-- 

Cristiano Kubiaki

Telegram <https://telegram.me/cris_kubiaki>  | LinkedIn 
<https://www.linkedin.com/in/cristianokubiaki/>  | Twitter  
<https://twitter.com/criskubiaki> 

ITIL - MCP - MCDST - MCTS - DCSE

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] ssh request from Virgin Media (Liberty Global)

[Cristiano Kubiaki Gomes]

I have a Relay and a Bridge up and running with ssh password disabled, ssh
port changed and fail2ban installed.

With that I noticed that one particular IP was trying to ssh my both
machines and that IP belongs to Liberty Global, an Anglo-Dutch-American
telecommunication company which is owner of the Virgin Media, UPS and
Vodafone.

I was wondering, why is this company trying to ssh my Tor machines?

Has anyone else noticed this?

I am afraid to share the company IP here because they could be here on this
list and they could use one IP to target on specific subject and if I
disclose that IP they could find me out 

It’s just a FYI.

Stay safe.


-- 
Cristiano Kubiaki
Telegram  | LinkedIn
 | Twitter

ITIL - MCP - MCDST - MCTS - DCSE
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[George]

On 9/21/20 7:52 AM, Logforme wrote:

On 2020-09-21 11:19:20, "Андрей Гвоздев"  wrote:


Hello
I'm running a TOR relay, every time I SSH to my server I see a message
that there were thousands of failed login attempts
Do you see this message too?


Exposing a SSH server to the internet will get you lots of login attempts.


Yes, this is normal for anyone running internet-facing systems, and 
there are as many mitigations as there are sysadmins.



Here are some things you SHOULD do to help the situation:
Change the SSH default port.


Yes, this will lessen the number of entries in the relevant log file 
until the brute force attackers get more intelligent. Just understand 
this is not a security measure. It's more like a dose of obscurity to 
make log files less noisy.



Disable the root login.


+1


Use key-based authentication.


+1

Those are important and vital security measures, as is employing some 
sort of multi-factor authentication methods like Yubikey. (no, 
officially key-based SSH auth is not formally MFA...)


But the two ways to actually address the problem is either:

* network or host-based firewalling to limit connections based on the 
same source, rate, etc., which depends on the operating system you're 
running.


* there are also tools like fail2ban and so on that are popular.

* if you're running FreeBSD or NetBSD, try Christo's blacklistd. It 
might be ported to other OSs. If it's not, it should be...


HTH

g
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[lists]

On 22.09.2020 20:34, George wrote:

The great secret SSHD security hack that I feel uncomfortable 
mentioning
on a public list is... do SSH over IPv6 if you can.  Seems like the 
bots

haven't caught up to that yet.

;-)
Yeah, only 1 or 2 attempts/YEAR over IPv6 and thats a research project 
from a german uni.



I block SSH DDoS attack with iptables recent module:
## Drop incoming connections which make more than 4 connection attempts 
upon port 22 within ten minutes

## To list these damned IP's: 'nano /proc/net/xt_recent/ssh' or
## 'cat /proc/net/xt_recent/ssh > recent-ssh.txt'
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh 
--set
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh 
--update --seconds 600 --hitcount 4 -j DROP



Fail2ban Block Penetrants permanent:

[recidive]
enabled = true
# logpath = /var/log/fail2ban.log
# banaction = %(banaction_allports)s
bantime = -1; permanent
findtime = 86400  ; 1 day
maxretry = 6


I leave SSH on port 22, but pub-key auth  is important
and only one user or group is authorized to login. See
AllowUsers user
AllowGroups sshusers

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[George]

breaking the top-post

> Hello
> I'm running a TOR relay, every time I SSH to my server I see a message
> that there were thousands of failed login attempts
> Do you see this message too?


This is one of those issues that you figure out your own preferred
method over time as you run public services over the internet.

First, where do you see the message? Not sure about your operating
system, but if it's dumping the failed logins to your screen on you're
on a Unix-like operating system, you should probably check your
/etc/syslog.conf.  Dumping failed ssh logins to a file like
/var/log/authlog makes more sense.

Second, make sure you're following the basics with SSHD security.
Require keys or Yubikey etc and don't rely on password security for SSH
access.

You could consider fail2ban and similar tools, but consider either your
host-based firewall or better yet, an upstream network firewall.
Rate-limiting SSH attempts, blacklisting based on bogon addresses, etc,
will bring you part of the way.

IMHO, the less third-party software you install on a Tor relay, the
better off you are.  More code means more surface area and more bugs.

The standard tenet of "there's no security with obscurity" rings true,
but we're talking about log noise here, not security. Therefore, you
might want to consider changing the TCP port SSHD is listening on. It
will likely decrease the noise level.

The great secret SSHD security hack that I feel uncomfortable mentioning
on a public list is... do SSH over IPv6 if you can.  Seems like the bots
haven't caught up to that yet.

g
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[ylms]

Hello again,
if you setup Fail2ban or similar, please make sure it does not send out
abuse emails, Fail2ban-Spam or similar is alot of work for Tor Exit
operators.

Regards
yl


On 9/21/20 11:19 AM, Андрей Гвоздев wrote:
> Hello
> I'm running a TOR relay, every time I SSH to my server I see a message
> that there were thousands of failed login attempts
> Do you see this message too?
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[Dr Gerard Bulger]

I also found failed2ban had much less work to do, banning handful a day, not a 
thousand, by stopping ssh password authentication and using private key 
authentication.  Something I should have done from the start anyway.
It seems when if a server sends public key on attempted login and refuses 
password it stops the kiddies/robots from trying anymore.  

Gerry





-Original Message-
From: tor-relays  On Behalf Of Toralf 
Förster
Sent: 21 September 2020 14:53
To: tor-relays@lists.torproject.org
Subject: Re: [tor-relays] SSH

On 9/21/20 1:52 PM, Logforme wrote:
> Change the SSH default port.
AFAICT that helped but only fore a while.
After few weeks/months the non-default port is discovered by (a probably more 
extensible port scan) and the failed login attempts continued.

-- 
Toralf


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[Foxy]

Try setting it so it bans after 3 failed attempts

On Mon, Sep 21, 2020, 7:53 AM Toralf Förster  wrote:

> On 9/21/20 1:52 PM, Logforme wrote:
> > Change the SSH default port.
> AFAICT that helped but only fore a while.
> After few weeks/months the non-default port is discovered by (a probably
> more extensible port scan) and the failed login attempts continued.
>
> --
> Toralf
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[Toralf Förster]

On 9/21/20 1:52 PM, Logforme wrote:
> Change the SSH default port.
AFAICT that helped but only fore a while.
After few weeks/months the non-default port is discovered by (a probably more 
extensible port scan) and the failed login attempts continued.

-- 
Toralf



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[Marco Predicatori]

Андрей Гвоздев wrote on 9/21/20 11:19 AM:
> Hello
> I'm running a TOR relay, every time I SSH to my server I see a message
> that there were thousands of failed login attempts
> Do you see this message too?

Plenty, don't worry. Any IP with the ssh port open is targeted. Make sure you
keep your server safe as suggested in the other answers. Fail2ban may also help.

Bye, Marco
https://metrics.torproject.org/rs.html#details/A4E74410D83705EEFF24BC265DE2B2FF39BDA56E
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[lists]

On 21.09.2020 11:19, Андрей Гвоздев wrote:

Hello
I'm running a TOR relay, every time I SSH to my server I see a message
that there were thousands of failed login attempts
Do you see this message too?


Maybe my step by step instructions can help.
Ignore the PIVX stuff.

https://forum.pivx.org/index.php?threads/howto-setup-masternode-or-staker-wallet-behind-tor.588/

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[Lars Noodén]

On 9/21/20 12:19 PM, Андрей Гвоздев wrote:
> Hello
> I'm running a TOR relay, every time I SSH to my server I see a message
> that there were thousands of failed login attempts
> Do you see this message too?

That is normal for any outwardly facing SSH server, Tor or not.  The
established best practice is considered to be deploying SSH key- or SSH
certificate-based authentication and then disabling password
authentication.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[Logforme]

On 2020-09-21 11:19:20, "Андрей Гвоздев"  
wrote:



Hello
I'm running a TOR relay, every time I SSH to my server I see a message
that there were thousands of failed login attempts
Do you see this message too?

Exposing a SSH server to the internet will get you lots of login 
attempts.

Here are some things you SHOULD do to help the situation:
Change the SSH default port.
Disable the root login.
Use key-based authentication.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH

[ylms]

On 9/21/20 11:19 AM, Андрей Гвоздев wrote:
> I'm running a TOR relay, every time I SSH to my server I see a message
> that there were thousands of failed login attempts
> Do you see this message too?

I think this is quite normal, for any server, if you do not run any
service that blocks IPs after n failed login attempts.

Always make sure to fix any zero days in your SSH service fast and use a
safe authentication method (maybe key based).

Regards
yl
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] SSH

[Андрей Гвоздев]

Hello
I'm running a TOR relay, every time I SSH to my server I see a message
that there were thousands of failed login attempts
Do you see this message too?
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

[Matt Corallo]

I've taken to contacting the sender of the automated abuse reports and
noting that sending such emails may actually not be legal (at least in
the US) under CAN-SPAM. In some cases I've seen positive response as
people aren't even aware their random server with fail2ban is sending
these things.

Matt

On 8/29/19 11:26 PM, AMuse wrote:
> Hi all! I'm curious what y'all think of this situation.
> 
> I have SSH open as an exit port on a TOR exit that my friends and I are
> maintaining - and of course it's the #1 offender by far in automated
> abuse notifications we get from our ISP, from peoples' fail2ban servers
> sending abuse emails. This all seems like a huge waste of time, but
> that's a separate issue.
> 
> I'm wondering if nerfing outbound SSH to rate limit will be effective at
> getting the SSH scanning bots to stop using my exit in their circuit,
> while leaving SSH open for actual humans who need to SSH while using TOR.
> 
> I've implemented, as a test, rate limiting outbound on the SSH port. 
> What do you think the impact of this will be?  No impact? Losing exit
> status because connections on SSH die?  Something else entirely?
> 
> Here's the pf rules in question:
> 
> pass in on $ext_if proto {tcp udp} from any to any port 9000:9150 keep state
> 
> pass in on $ext_if proto tcp from any to any port 22 keep state
> 
> pass in on $ext_if proto tcp from any to any port 80 keep state
> 
> pass out on $ext_if from any to any keep state
> 
> pass out on $ext_if proto tcp from any to any port 22 keep state
> (max-src-conn 25, max-src-conn-rate 1/5 )
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

[teor]

Hi,

> On 30 Aug 2019, at 09:26, AMuse  wrote:
> 
> I have SSH open as an exit port on a TOR exit that my friends and I are 
> maintaining - and of course it's the #1 offender by far in automated abuse 
> notifications we get from our ISP, from peoples' fail2ban servers sending 
> abuse emails. This all seems like a huge waste of time, but that's a separate 
> issue.
> 
> I'm wondering if nerfing outbound SSH to rate limit will be effective at 
> getting the SSH scanning bots to stop using my exit in their circuit, while 
> leaving SSH open for actual humans who need to SSH while using TOR.

I ran some large exits from 2016-2018, and I thought about this issue a lot.
Usually while dealing with automated abuse mails.

Ideally, we want a DoS mode that:
* allows the first connection from a circuit at full speed
* with each extra rapid connection, gradually slows connections from the
  same circuit

There's a bunch of fine tuning we could do by port, traffic volume,
and how busy other circuits are.

But that needs to be implemented in Tor, because only Tor can see circuits.

> I've implemented, as a test, rate limiting outbound on the SSH port.  What do 
> you think the impact of this will be?  No impact?

Probably.

> Losing exit status because connections on SSH die?

Unlikely. I think Exitmap only measures HTTP(S).

> Something else entirely?

Maybe scanners will move to another exit.

Maybe some SSH connections will be blocked, you should set your exit in
a client's torrc and try it out:

ExitNodes (fingerprint)
StrictNodes 1

T



signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] SSH scanning on TOR Exit - Nerfing Rules

[AMuse]

Hi all! I'm curious what y'all think of this situation.

I have SSH open as an exit port on a TOR exit that my friends and I are
maintaining - and of course it's the #1 offender by far in automated abuse
notifications we get from our ISP, from peoples' fail2ban servers sending
abuse emails. This all seems like a huge waste of time, but that's a
separate issue.

I'm wondering if nerfing outbound SSH to rate limit will be effective at
getting the SSH scanning bots to stop using my exit in their circuit, while
leaving SSH open for actual humans who need to SSH while using TOR.

I've implemented, as a test, rate limiting outbound on the SSH port.  What
do you think the impact of this will be?  No impact? Losing exit status
because connections on SSH die?  Something else entirely?

Here's the pf rules in question:

pass in on $ext_if proto {tcp udp} from any to any port 9000:9150 keep state

pass in on $ext_if proto tcp from any to any port 22 keep state

pass in on $ext_if proto tcp from any to any port 80 keep state

pass out on $ext_if from any to any keep state

pass out on $ext_if proto tcp from any to any port 22 keep state
(max-src-conn 25, max-src-conn-rate 1/5 )
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Nathaniel Suchy]

> Using an obscure port only prevents attempts being logged, nothing else.
And if you’re going to use an alternate port, pick one under 1024. Make it
so an attacker needs to be root before they replace your sshd process.
If you take that approach, make sure you are using a hardware firewall
blocking inbound connections to ports above 1024.

Also SSH Keys, password auth disabled is enough - you don't even need to
change your SSH port :D

On Tue, Sep 4, 2018 at 8:44 AM Sean Brown  wrote:

> On Sep 4, 2018, at 8:40 AM, Natus  wrote:
> >
> >> Use some tool like fail2ban and/or ssh key authentication.
> >
> > Also change the default port of your ssh endpoint (eg: )
> >
> >
>
>
> Using an obscure port only prevents attempts being logged, nothing else.
> And if you’re going to use an alternate port, pick one under 1024. Make it
> so an attacker needs to be root before they replace your sshd process.
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[arisbe]

Hello Marcus,

On an ongoing basis, most of my relays get up to 4000 attempts each 
day.  It's standard practice I guess!  Many, many are from just a few IP 
addresses.  The rest are just a few per IP address. Occasionally, I will 
go beyond the fail2ban "ban" and block an IP address in iptables  via 
ufw.  I then unblock that IP address in a week or two.  I set fail2ban 
for long blocks maybe up to 12 hours (43000-seconds).


So, harden your operating system as best you can.  SSH works but disable 
the password entry, X11, etc. if possible.  This is always safe if your 
provider has a dashboard for you to use as a secondary access to the 
server.  I change my SSH port number but that only slows the 
professionals my minutes or seconds.  Remember to change the fail2ban 
SSH port number if you do that.  Your host provider should have DDoS 
protection for his/her entire plant.


And don't sweat it!  Learn from the experiences.


On 9/4/2018 5:35 AM, Marcus Wahle wrote:

Dear all,

Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login 
attemps from different ips.
Is there anybody else affected?

Best regards
Marcus
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


--
One person's moral compass is another person's face in the dirt.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Roman Mamedov]

On Tue, 4 Sep 2018 18:44:55 +0100
 wrote:

> Waste of time move SSH port?  My fail2ban has hardly anything to do since 
> moving port some time back

Yes, it is. And you might as well remove fail2ban altogether if you simply have
key-based auth and disable passwords.

-- 
With respect,
Roman
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[gerard]

Waste of time move SSH port?  My fail2ban has hardly anything to do since 
moving port some time back. Very rarely does it see any attempts on my new odd 
number SSH port, but on port 22 the attacks were continuous.   I agree in terms 
of security for a determined hacker moving port does nothing.

Gerry
-Original Message-
From: tor-relays  On Behalf Of Michael 
Brodhead
Sent: 04 September 2018 18:36
To: tor-relays@lists.torproject.org
Subject: Re: [tor-relays] SSH login attempts

FWIW I found sshguard easier to deal with on FreeBSD than fail2ban.

Turn off password logins and take good care of your ssh keys. Moving sshd to a 
different port is a waste of time but harmless if you’re the only administrator.

—mkb  


> On Sep 4, 2018, at 5:35 AM, Marcus Wahle  wrote:
> 
> Dear all,
> 
> Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login 
> attemps from different ips.
> Is there anybody else affected?
> 
> Best regards 
> Marcus
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Michael Brodhead]

FWIW I found sshguard easier to deal with on FreeBSD than fail2ban.

Turn off password logins and take good care of your ssh keys. Moving sshd to a 
different port is a waste of time but harmless if you’re the only administrator.

—mkb  


> On Sep 4, 2018, at 5:35 AM, Marcus Wahle  wrote:
> 
> Dear all,
> 
> Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login 
> attemps from different ips.
> Is there anybody else affected?
> 
> Best regards 
> Marcus
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Sean Brown]

> On Sep 4, 2018, at 9:06 AM, Ralph Seichter  wrote:
> 
> On 04.09.2018 14:44, Sean Brown wrote:
> 
>> Using an obscure port only prevents attempts being logged, nothing
>> else.
> 
> I cannot agree with that. What an sshd logs is not determined by the
> port number it is listening on, and the quantity of failed login
> attempts across my servers is measurably lower when using a non-standard
> port.
> 

Ya, my mistake, I wasn’t clear. I don’t mean that sshd doesn’t log if it’s on a 
different port, I mean that only the worst bots won’t find it, cutting down on 
the amount of noise in the logs. If ssh is configured correctly (disable 
password, 2fa, keys etc.) password attempts are just noise.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Ralph Seichter]

On 04.09.2018 14:44, Sean Brown wrote:

> Using an obscure port only prevents attempts being logged, nothing
> else.

I cannot agree with that. What an sshd logs is not determined by the
port number it is listening on, and the quantity of failed login
attempts across my servers is measurably lower when using a non-standard
port.

-Ralph
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Lars Noodén]

On 09/04/2018 03:41 PM, Marcus wrote:
> Thanks Paul,
> I use fai2ban, but this amount of failed logins is new to me.
> Marcus

The failed logins are business as usual.  If the machine is on the net,
then bots will find it no matter where it is or which port it listens
on.  But they usually move on after a while, too.

While running fail2ban/sshguard helps, and changing the port helps
slightly, the biggest change you can make if you haven't done it already
is to use key-based authentication and turn off password based
authentication, at least for the outward facing address(es) on your box.
 It seems that many bots can tell when the SSH daemon will not respond
to passwords and move on without trying to actually log in.

/Lars
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Sean Brown]

On Sep 4, 2018, at 8:40 AM, Natus  wrote:
> 
>> Use some tool like fail2ban and/or ssh key authentication.
> 
> Also change the default port of your ssh endpoint (eg: )
> 
> 


Using an obscure port only prevents attempts being logged, nothing else. And if 
you’re going to use an alternate port, pick one under 1024. Make it so an 
attacker needs to be root before they replace your sshd process.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[nusenu]

Marcus Wahle:
> Since 14:00 my logs (middle node) are spamed with around 100 faild
> ssh login attemps from different ips. Is there anybody else
> affected?

I'd say that is business as usual and not much to worry about if you use strong 
authentication

-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Marcus]

Thanks Paul,
I use fai2ban, but this amount of failed logins is new to me.
Marcus

--
Mein öffentliches Zertifikat finden Sie unter: 
https://web.tresorit.com/l#tDLNPX-QlTRTcpMEqRRSng
Am 04.09.2018 um 14:38 schrieb Paul Templeton :

>> Since 14:00 my logs (middle node) are spamed with around 100 faild
>> ssh login attemps from different ips.
>> Is there anybody else affected?
> Yes - it's constant 3-5 attempts per second - that's normal.
> Use some tool like fail2ban and/or ssh key authentication.
> 
> Paul
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[I]

 ssh key authentication.

and an obscure port




___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Natus]

> Use some tool like fail2ban and/or ssh key authentication.

Also change the default port of your ssh endpoint (eg: )

-- 
regards, natus
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

[Paul Templeton]

> Since 14:00 my logs (middle node) are spamed with around 100 faild
> ssh login attemps from different ips.
> Is there anybody else affected?
Yes - it's constant 3-5 attempts per second - that's normal.
Use some tool like fail2ban and/or ssh key authentication.

Paul
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] SSH login attempts

[Marcus Wahle]

Dear all,

Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login 
attemps from different ips.
Is there anybody else affected?

Best regards 
Marcus
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH Bruteforce Attempts

[tanous .c]

Thank you all for replying,
I will answer the notification with the template mentioned by Rejo and
include the link for ExoneraTor recommended by Jon.

Best Regards,

Tanous

2017-10-04 11:34 GMT-03:00 Jonathan Proulx :

> Here's my version of the same:
>
> Hello,
>
> The source address 128.52.128.105 is a Tor exit node, and is not the
> origin point for the traffic in question.  See
> http://tor-exit.csail.mit.edu (which is the host in your logs) for
> details.  Any action taken on this node would simply result in the
> problem traffic using a different exit.
>
> For further information please read http://tor-exit.csail.mit.edu/ the
> bottom of this page includes information on how to block all Tor exits
> should you wish to do so (including links to get a list of all current
> Tor exits).
>
> Sincerely,
> The Infrastructure Group
> MIT Computer Science and Artificial Intelligence Laboratory
>
> I recently learned about https://exonerator.torproject.org/ if you
> don't have a large institutional name to hide behind  like I do you
> may want to include that in want ever response you use to lend
> credibility to your exit claim.
>
> -Jon
>
> On Wed, Oct 04, 2017 at 08:26:06AM +0200, Rejo Zenger wrote:
> :Hey,
> :
> :Yes, I do more or less the same. If the complaint is sent using some
> automated system, I "do nothing." If the complaint is sent by a human, I'll
> answer them with a template, see below. If there is a followup response to
> that, I'll do some more explaining, oftentimes pointing them at the block
> lists provided by the Tor Project.
> :
> :Here's the default answer:
> :
> :---
> :
> :Thanks a lot for your notification. The traffic originating from the
> IP-address is traffic from a Tor exit-node. As I am not sure whether you
> are familiar with the Tor network, I would like to provide some explanation.
> :
> :Tor is network software that helps users to enhance their privacy,
> security, and safety online. It does not host any content. Rather, it is
> part of a network of nodes on the Internet that simply pass packets among
> themselves before sending them to their destinations, just as any Internet
> intermediary does. The difference is that Tor tunnels the connections such
> that no hop can learn both the source and destination of the packets,
> giving users protection from nefarious snooping on network traffic. The
> result is that, unlike most other Internet traffic, the final IP address
> that the recipient receives is not the IP address of the sender.
> :
> :I run a Tor node to provide privacy to people who need it most: average
> computer users. Tor sees use by many important segments of the population,
> including whistle blowers, journalists, Chinese dissidents skirting the
> Great Firewall and oppressive censorship, abuse victims, stalker targets,
> the US military, and law enforcement, just to name a few. While Tor is not
> designed for malicious computer users, it is true that they can use the
> network for malicious ends.
> :
> :Of course, the Tor network may be abused by others and apparently this is
> what you are seeing. I am very sorry for this to happen to you. In reality
> however, the actual amount of abuse is quite low. This is largely because
> criminals and hackers have significantly better access to privacy and
> anonymity than do the regular users whom they prey upon. Criminals can and
> do build, sell, and trade far larger and more powerful networks than Tor on
> a daily basis.
> :
> :To avoid any more traffic from this source, you could (temporarily) block
> the IP-address of my Tor exit node. You also have the option of blocking
> all exit nodes on the Tor network if you so desire.  The Tor project
> provides a web service to fetch a list of all IP addresses of Tor exit
> nodes that allow exiting to a specified IP:port combination, and an
> official DNSRBL is also available to determine if a given IP address is
> actually a Tor exit server.
> :
> :---
> :
> :
> :
> :
> :++ 04/10/17 02:44 + - teor:
> :>
> :>> On 3 Oct 2017, at 22:35, tanous .c  wrote:
> :>>
> :>> Have any of you had this sort of problem? I'm having difficulty
> determining if this log information represents a normal exit relay
> ocurrence or if my server has been compromised... What could i do in order
> to solve this?
> :>
> :>Yes, Profihost sent me one recently that looked very similar.
> :>Fortunately, I use OutboundBindAddress, so I knew it was
> :>(very likely to be) exit traffic.
> :>
> :>You can:
> :>* do nothing
> :>* respond and ask for verification that they want your exit
> :>   to block their site, but explain that they need to block
> :>   all Tor Exits for the traffic to stop
> :>* add exit policy entries to block each of the mentioned
> :>   IPs and ports
> :>* block port 22 on your exit
> :>
> :>I'll be doing nothing.
> :>
> :>You should consider your provider's reaction, because they
> :>may want you do something about the complaint, even if

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Igor Mitrofanov]

The instance I use for administrative purposes (SSH and APT) is a separate
one, client-only.

-Original Message-
From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf
Of teor
Sent: Wednesday, October 4, 2017 5:49 AM
To: tor-relays@lists.torproject.org
Subject: Re: [tor-relays] SSH brute force attempts to connect to my Middle
Relay IP address


> On 4 Oct 2017, at 02:26, Igor Mitrofanov <igor.n.mitrofa...@gmail.com>
wrote:
> 
> I have setup a (private, key-based) Tor hidden service for SSH
administration. It works well and leaves no extra open ports to attack.
> 
> If you also take advantage of package updates over Tor (via the local 
> SOCKS5 proxy that any Tor instance provides)

We don't recommend that you run a client and hidden service on the same tor
instance. It makes traffic correlation easier, because your traffic all goes
through the same guard. (There are probably some other reasons,
too.)

Depending on your threat model, this might not be an issue for you.

T

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Jonathan Proulx]

On Wed, Oct 04, 2017 at 02:32:10PM +0100, Robin wrote:
:I restrict SSH access with iptables allowing only access from two IP addresses 
(work, and home).
:I also disable root login (as many already do), as well as use the AllowUsers 
option in SSH.

Hard for me to tell if my Tor nodes get any more scans becasue I have
a similar IP restricted setup.

I can say a public login system that I run currenlty has 144 hosts
blacklisted by sshguard which means they've failed a number of login
attempts and atleast one in the past 2 minutes, not sure what the
average size of that list is but that subjectively seems normalish

Someone did apparently try to DoS my exit a couple weeks ago and
Akamai/Prolexic (contracted by my upstream provider so I had no
contacts) helpfully "mittigated" this by null routing the whole /24 it
was on :( This is more a fight between me and my provider but I still
have no response on what triggered that  so can't provide any more
detail, just eventually went away on it's own.

-Jon


:
:regards, Robin
:
:- Original message -
:From: Fr33d0m4all <fr33d0m4...@riseup.net>
:To: tor-relays@lists.torproject.org
:Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay 
IP address
:Date: Wed, 4 Oct 2017 08:02:55 +0200
:
:Hi,
:My Tor middle relay public IP address is victim of SSH brute force 
connections’ attempts and the attack is going on since two weeks ago. It’s not 
a problem, the server that is listening with SSH on the same IP address than my 
Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but 
I just wanted to know if there is some campaign of attacks carried against Tor 
relays.. are you experiencing the same? The attacks are carried on with a 
botnet given the large amount of different IP addresses that I see in the logs.
:
:Best regards,
:   Fr33d0m4All
:___
:tor-relays mailing list
:tor-relays@lists.torproject.org
:https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
:___
:tor-relays mailing list
:tor-relays@lists.torproject.org
:https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH Bruteforce Attempts

[Jonathan Proulx]

Here's my version of the same:

Hello,

The source address 128.52.128.105 is a Tor exit node, and is not the
origin point for the traffic in question.  See
http://tor-exit.csail.mit.edu (which is the host in your logs) for
details.  Any action taken on this node would simply result in the
problem traffic using a different exit.

For further information please read http://tor-exit.csail.mit.edu/ the
bottom of this page includes information on how to block all Tor exits
should you wish to do so (including links to get a list of all current
Tor exits).

Sincerely,
The Infrastructure Group
MIT Computer Science and Artificial Intelligence Laboratory

I recently learned about https://exonerator.torproject.org/ if you
don't have a large institutional name to hide behind  like I do you
may want to include that in want ever response you use to lend
credibility to your exit claim.

-Jon

On Wed, Oct 04, 2017 at 08:26:06AM +0200, Rejo Zenger wrote:
:Hey,
:
:Yes, I do more or less the same. If the complaint is sent using some automated 
system, I "do nothing." If the complaint is sent by a human, I'll answer them 
with a template, see below. If there is a followup response to that, I'll do 
some more explaining, oftentimes pointing them at the block lists provided by 
the Tor Project.
:
:Here's the default answer:
:
:---
:
:Thanks a lot for your notification. The traffic originating from the 
IP-address is traffic from a Tor exit-node. As I am not sure whether you are 
familiar with the Tor network, I would like to provide some explanation.
:
:Tor is network software that helps users to enhance their privacy, security, 
and safety online. It does not host any content. Rather, it is part of a 
network of nodes on the Internet that simply pass packets among themselves 
before sending them to their destinations, just as any Internet intermediary 
does. The difference is that Tor tunnels the connections such that no hop can 
learn both the source and destination of the packets, giving users protection 
from nefarious snooping on network traffic. The result is that, unlike most 
other Internet traffic, the final IP address that the recipient receives is not 
the IP address of the sender.
:
:I run a Tor node to provide privacy to people who need it most: average 
computer users. Tor sees use by many important segments of the population, 
including whistle blowers, journalists, Chinese dissidents skirting the Great 
Firewall and oppressive censorship, abuse victims, stalker targets, the US 
military, and law enforcement, just to name a few. While Tor is not designed 
for malicious computer users, it is true that they can use the network for 
malicious ends.
:
:Of course, the Tor network may be abused by others and apparently this is what 
you are seeing. I am very sorry for this to happen to you. In reality however, 
the actual amount of abuse is quite low. This is largely because criminals and 
hackers have significantly better access to privacy and anonymity than do the 
regular users whom they prey upon. Criminals can and do build, sell, and trade 
far larger and more powerful networks than Tor on a daily basis.
:
:To avoid any more traffic from this source, you could (temporarily) block the 
IP-address of my Tor exit node. You also have the option of blocking all exit 
nodes on the Tor network if you so desire.  The Tor project provides a web 
service to fetch a list of all IP addresses of Tor exit nodes that allow 
exiting to a specified IP:port combination, and an official DNSRBL is also 
available to determine if a given IP address is actually a Tor exit server.
:
:---
:
:
:
:
:++ 04/10/17 02:44 + - teor:
:>
:>> On 3 Oct 2017, at 22:35, tanous .c  wrote:
:>> 
:>> Have any of you had this sort of problem? I'm having difficulty determining 
if this log information represents a normal exit relay ocurrence or if my 
server has been compromised... What could i do in order to solve this?
:>
:>Yes, Profihost sent me one recently that looked very similar.
:>Fortunately, I use OutboundBindAddress, so I knew it was
:>(very likely to be) exit traffic.
:>
:>You can:
:>* do nothing
:>* respond and ask for verification that they want your exit
:>   to block their site, but explain that they need to block
:>   all Tor Exits for the traffic to stop
:>* add exit policy entries to block each of the mentioned
:>   IPs and ports
:>* block port 22 on your exit
:>
:>I'll be doing nothing.
:>
:>You should consider your provider's reaction, because they
:>may want you do something about the complaint, even if
:>it's something ineffective.
:>
:>Tim
:>___
:>tor-relays mailing list
:>tor-relays@lists.torproject.org
:>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
:
:
:-- 
:Rejo Zenger
:E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl  
:T @rejozenger | J r...@zenger.nl
:
:OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
:XMPP OTR  

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Robin]

I restrict SSH access with iptables allowing only access from two IP addresses 
(work, and home).
I also disable root login (as many already do), as well as use the AllowUsers 
option in SSH.

regards, Robin

- Original message -
From: Fr33d0m4all <fr33d0m4...@riseup.net>
To: tor-relays@lists.torproject.org
Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP 
address
Date: Wed, 4 Oct 2017 08:02:55 +0200

Hi,
My Tor middle relay public IP address is victim of SSH brute force connections’ 
attempts and the attack is going on since two weeks ago. It’s not a problem, 
the server that is listening with SSH on the same IP address than my Tor relay 
blocks the connections and bans the IP addresses (with Fail2Ban) but I just 
wanted to know if there is some campaign of attacks carried against Tor 
relays.. are you experiencing the same? The attacks are carried on with a 
botnet given the large amount of different IP addresses that I see in the logs.

Best regards,
   Fr33d0m4All
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[teor]

> On 4 Oct 2017, at 02:26, Igor Mitrofanov  wrote:
> 
> I have setup a (private, key-based) Tor hidden service for SSH 
> administration. It works well and leaves no extra open ports to attack.
> 
> If you also take advantage of package updates over Tor (via the local SOCKS5 
> proxy that any Tor instance provides)

We don't recommend that you run a client and hidden service on the same
tor instance. It makes traffic correlation easier, because your traffic
all goes through the same guard. (There are probably some other reasons,
too.)

Depending on your threat model, this might not be an issue for you.

T

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n




signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Thomas Dünser]

Hi,

could it help to use ||iptables to limit to 3 attempts per minute, or to
use Fail2ban?

Regards

Tom


On 10/04/2017 01:07 PM, Martin Møller Skarbiniks Pedersen wrote:
> On 4 October 2017 at 08:41, Fr33d0m4all  > wrote:
> >
> > I know, I know about how internet works :) I’ve just simply noted a
> large increase in SSH brute force attempts in the last two weeks. BTW
> I don’t have root login enabled and I have two factor authentication
> on my SSH port (not standard),
>
>
> I also gets a lot of ssh bruce force attempts but then I drink some
> hot chokolade and all
> my worries goes away :-)
> However I am running on ssh on port 22 so I do expect a lot of bruce
> force attempts.
>
> I do find it a bit strange if you are running ssh on another port and
> still gets
> many bruce force attempts.
>
> Just curious: how many bruce force attempts per day approx? a few
> thousands?
>
> Regards
> Martin
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Martin Møller Skarbiniks Pedersen]

On 4 October 2017 at 08:41, Fr33d0m4all  wrote:
>
> I know, I know about how internet works :) I’ve just simply noted a large
increase in SSH brute force attempts in the last two weeks. BTW I don’t
have root login enabled and I have two factor authentication on my SSH port
(not standard),


I also gets a lot of ssh bruce force attempts but then I drink some hot
chokolade and all
my worries goes away :-)
However I am running on ssh on port 22 so I do expect a lot of bruce force
attempts.

I do find it a bit strange if you are running ssh on another port and still
gets
many bruce force attempts.

Just curious: how many bruce force attempts per day approx? a few thousands?

Regards
Martin
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH Bruteforce Attempts

[Rejo Zenger]

Hey,

Yes, I do more or less the same. If the complaint is sent using some automated 
system, I "do nothing." If the complaint is sent by a human, I'll answer them 
with a template, see below. If there is a followup response to that, I'll do 
some more explaining, oftentimes pointing them at the block lists provided by 
the Tor Project.

Here's the default answer:

---

Thanks a lot for your notification. The traffic originating from the IP-address 
is traffic from a Tor exit-node. As I am not sure whether you are familiar with 
the Tor network, I would like to provide some explanation.

Tor is network software that helps users to enhance their privacy, security, 
and safety online. It does not host any content. Rather, it is part of a 
network of nodes on the Internet that simply pass packets among themselves 
before sending them to their destinations, just as any Internet intermediary 
does. The difference is that Tor tunnels the connections such that no hop can 
learn both the source and destination of the packets, giving users protection 
from nefarious snooping on network traffic. The result is that, unlike most 
other Internet traffic, the final IP address that the recipient receives is not 
the IP address of the sender.

I run a Tor node to provide privacy to people who need it most: average 
computer users. Tor sees use by many important segments of the population, 
including whistle blowers, journalists, Chinese dissidents skirting the Great 
Firewall and oppressive censorship, abuse victims, stalker targets, the US 
military, and law enforcement, just to name a few. While Tor is not designed 
for malicious computer users, it is true that they can use the network for 
malicious ends.

Of course, the Tor network may be abused by others and apparently this is what 
you are seeing. I am very sorry for this to happen to you. In reality however, 
the actual amount of abuse is quite low. This is largely because criminals and 
hackers have significantly better access to privacy and anonymity than do the 
regular users whom they prey upon. Criminals can and do build, sell, and trade 
far larger and more powerful networks than Tor on a daily basis.

To avoid any more traffic from this source, you could (temporarily) block the 
IP-address of my Tor exit node. You also have the option of blocking all exit 
nodes on the Tor network if you so desire.  The Tor project provides a web 
service to fetch a list of all IP addresses of Tor exit nodes that allow 
exiting to a specified IP:port combination, and an official DNSRBL is also 
available to determine if a given IP address is actually a Tor exit server.

---




++ 04/10/17 02:44 + - teor:
>
>> On 3 Oct 2017, at 22:35, tanous .c  wrote:
>> 
>> Have any of you had this sort of problem? I'm having difficulty determining 
>> if this log information represents a normal exit relay ocurrence or if my 
>> server has been compromised... What could i do in order to solve this?
>
>Yes, Profihost sent me one recently that looked very similar.
>Fortunately, I use OutboundBindAddress, so I knew it was
>(very likely to be) exit traffic.
>
>You can:
>* do nothing
>* respond and ask for verification that they want your exit
>   to block their site, but explain that they need to block
>   all Tor Exits for the traffic to stop
>* add exit policy entries to block each of the mentioned
>   IPs and ports
>* block port 22 on your exit
>
>I'll be doing nothing.
>
>You should consider your provider's reaction, because they
>may want you do something about the complaint, even if
>it's something ineffective.
>
>Tim
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-- 
Rejo Zenger
E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl  
T @rejozenger | J r...@zenger.nl

OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
XMPP OTR  271A 9186 AFBC 8124 18CF  4BE2 E000 E708 F811 5ACF


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Santiago]

El 04/10/17 a las 08:41, Fr33d0m4all escribió:
> I know, I know about how internet works :) I’ve just simply noted a large 
> increase in SSH brute force attempts in the last two weeks. BTW I don’t have 
> root login enabled and I have two factor authentication on my SSH port (not 
> standard), which is enabled only for a single low privileges user, so there’s 
> no problem. I work for a provider and I manage IPS devices, so I know that it 
> is common to have a large amount of intrusion attempts, I was just wondering 
> if there was some attack against Tor nodes going on since the increase of 
> intrusion attempts in the last few weeks :)
> 
> Best regards,

Also, you could consider pam-abl (auto blacklisting) instead of
fail2ban. Relying on PAM, it doesn't need to process the logs to ban
hosts or users.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Fr33d0m4all]

I know, I know about how internet works :) I’ve just simply noted a large 
increase in SSH brute force attempts in the last two weeks. BTW I don’t have 
root login enabled and I have two factor authentication on my SSH port (not 
standard), which is enabled only for a single low privileges user, so there’s 
no problem. I work for a provider and I manage IPS devices, so I know that it 
is common to have a large amount of intrusion attempts, I was just wondering if 
there was some attack against Tor nodes going on since the increase of 
intrusion attempts in the last few weeks :)

Best regards,
   Fr33d0m4All

> Il giorno 04 ott 2017, alle ore 08:35, Gareth Llewellyn 
>  ha scritto:
> 
>  Original Message 
> On 4 Oct 2017, 07:02, Fr33d0m4all < fr33d0m4...@riseup.net> wrote: Hi, My Tor 
> middle relay public IP address is victim of SSH brute force connections’ 
> attempts 
> 
> Welcome to the Internet!
> 
> Any Internet connected machine will be port scanned, vuln probed, brute 
> forced, blindly hit with ancient "1 shot" exploits (think wordpress plugins) 
> and trawled for include vulnerabilities (e.g. ?file=../../../etc/passwd ) on 
> a daily basis.
> 
> It's not normally something to worry about.
> 
> Disable root login, enable certificate authentication and if you feel 
> particularly strongly about the log noise firewall off TCP/22 or move sshd to 
> a high numbered port.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Sean Greenslade]

On October 3, 2017 11:02:55 PM PDT, Fr33d0m4all  wrote:
>Hi,
>My Tor middle relay public IP address is victim of SSH brute force
>connections’ attempts and the attack is going on since two weeks ago.
>It’s not a problem, the server that is listening with SSH on the same
>IP address than my Tor relay blocks the connections and bans the IP
>addresses (with Fail2Ban) but I just wanted to know if there is some
>campaign of attacks carried against Tor relays.. are you experiencing
>the same? The attacks are carried on with a botnet given the large
>amount of different IP addresses that I see in the logs.

This happens to any machine with an open ssh port on the internet. Just set up 
ssh keys for login, disable password auth,  and ignore the fruitless attempts. 
I personally don't bother with f2b. The only time I ever bother blocking 
attackers is if I'm trying to live view my logs and the attacks are polluting 
my view. Otherwise it's not worth my time.

--Sean

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Gareth Llewellyn]

 Original Message 
On 4 Oct 2017, 07:02, Fr33d0m4all wrote: Hi, My Tor middle relay public IP 
address is victim of SSH brute force connections’ attempts

Welcome to the Internet!

Any Internet connected machine will be port scanned, vuln probed, brute forced, 
blindly hit with ancient "1 shot" exploits (think wordpress plugins) and 
trawled for include vulnerabilities (e.g. ?file=../../../etc/passwd ) on a 
daily basis.

It's not normally something to worry about.

Disable root login, enable certificate authentication and if you feel 
particularly strongly about the log noise firewall off TCP/22 or move sshd to a 
high numbered port.___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Igor Mitrofanov]

I have setup a (private, key-based) Tor hidden service for SSH administration. 
It works well and leaves no extra open ports to attack.

If you also take advantage of package updates over Tor (via the local SOCKS5 
proxy that any Tor instance provides) the only non-OR incoming traffic you need 
to allow is an occasional NTP (UDP) time sync, plus ICMP 3/4 (fragmentation 
required). If you drop everything else, fail2ban becomes unnecessary.

The botnet can still flood the host with SYN requests, ORPort connections, etc. 
but brute-force attacks on SSH are no longer a risk.

-Original Message-
From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf Of 
Fr33d0m4all
Sent: Tuesday, October 3, 2017 11:03 PM
To: tor-relays@lists.torproject.org
Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP 
address

Hi,
My Tor middle relay public IP address is victim of SSH brute force connections’ 
attempts and the attack is going on since two weeks ago. It’s not a problem, 
the server that is listening with SSH on the same IP address than my Tor relay 
blocks the connections and bans the IP addresses (with Fail2Ban) but I just 
wanted to know if there is some campaign of attacks carried against Tor 
relays.. are you experiencing the same? The attacks are carried on with a 
botnet given the large amount of different IP addresses that I see in the logs.

Best regards,
   Fr33d0m4All
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Fr33d0m4all]

Hi,
My Tor middle relay public IP address is victim of SSH brute force connections’ 
attempts and the attack is going on since two weeks ago. It’s not a problem, 
the server that is listening with SSH on the same IP address than my Tor relay 
blocks the connections and bans the IP addresses (with Fail2Ban) but I just 
wanted to know if there is some campaign of attacks carried against Tor 
relays.. are you experiencing the same? The attacks are carried on with a 
botnet given the large amount of different IP addresses that I see in the logs.

Best regards,
   Fr33d0m4All
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH Bruteforce Attempts

[teor]

> On 3 Oct 2017, at 22:35, tanous .c  wrote:
> 
> Have any of you had this sort of problem? I'm having difficulty determining 
> if this log information represents a normal exit relay ocurrence or if my 
> server has been compromised... What could i do in order to solve this?

Yes, Profihost sent me one recently that looked very similar.
Fortunately, I use OutboundBindAddress, so I knew it was
(very likely to be) exit traffic.

You can:
* do nothing
* respond and ask for verification that they want your exit
   to block their site, but explain that they need to block
   all Tor Exits for the traffic to stop
* add exit policy entries to block each of the mentioned
   IPs and ports
* block port 22 on your exit

I'll be doing nothing.

You should consider your provider's reaction, because they
may want you do something about the complaint, even if
it's something ineffective.

Tim
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] SSH Bruteforce Attempts

[tanous .c]

Hi,
I have been running one  tor exit relay for about 51 days and i recently
got this abuse
report:



Good afternoon,

Your Ip address (212.47.239.73) has been reported to us by profihost
because it seems to have attempted to bruteforce.
Thank you to take the necessary action as soon as possible.
You will find more information about this report below this message.
Feel free to contact Online.net technical assistance for more information.
Online.net Abuse service
 --

(time is MET / GMT+1):
Tue Oct 3 08:59:40 2017: user: root service: ssh target: 77.75.252.250
source: 212.47.239.73 Tue Oct 3 08:59:10 2017: user: root service: ssh
target: 77.75.252.250 source: 212.47.239.73 Tue Oct 3 08:59:10 2017: user:
root service: ssh target: 77.75.252.250 source: 212.47.239.73 Tue Oct 3
08:36:18 2017: user: admin service: ssh target: 37.228.155.188 source:
212.47.239.73 Tue Oct 3 07:06:42 2017: user: user service: ssh target:
77.75.252.80 source: 212.47.239.73 Tue Oct 3 07:06:12 2017: user: user1
service: ssh target: 77.75.252.80 source: 212.47.239.73 Tue Oct 3 06:14:12
2017: user: admin service: ssh target: 77.75.251.85 source: 212.47.239.73
Tue Oct 3 06:01:41 2017: user: admin service: ssh target: 77.75.252.78
source: 212.47.239.73 Tue Oct 3 05:37:01 2017: user: admin service: ssh
target: 185.39.221.52 source: 212.47.239.73 Tue Oct 3 02:07:46 2017: user:
admin service: ssh target: 77.75.249.19 source: 212.47.239.73 Tue Oct 3
01:23:57 2017: user: admin service: ssh target: 85.158.176.137 source:
212.47.239.73 Mon Oct 2 20:10:45 2017: user: admin service: ssh target:
77.75.255.76 source: 212.47.239.73 Mon Oct 2 17:30:13 2017: user: admin
service: ssh target: 185.39.221.145 source: 212.47.239.73 Mon Oct 2
17:30:13 2017: user: admin service: ssh target: 185.39.221.145 source:
212.47.239.73 Mon Oct 2 17:09:32 2017: user: admin service: ssh target:
37.228.154.149 source: 212.47.239.73 Mon Oct 2 17:09:23 2017: user: admin
service: ssh target: 37.228.154.102 source: 212.47.239.73 Mon Oct 2
16:43:12 2017: user: admin service: ssh target: 77.75.252.233 source:
212.47.239.73 Mon Oct 2 16:23:41 2017: user: admin service: ssh target:
37.228.155.125 source: 212.47.239.73 Mon Oct 2 14:17:24 2017: user: admin
service: ssh target: 77.75.250.84 source: 212.47.239.73 Mon Oct 2 13:24:14
2017: user: supervisor service: ssh target: 37.228.159.139 source:
212.47.239.73 Mon Oct 2 13:24:14 2017: user: support service: ssh target:
37.228.159.139 source: 212.47.239.73 Mon Oct 2 13:23:44 2017: user: super
service: ssh target: 37.228.159.139 source: 212.47.239.73 Mon Oct 2
12:48:09 2017: user: user service: ssh target: 37.228.159.98 source:
212.47.239.73 Mon Oct 2 12:47:39 2017: user: user service: ssh target:
37.228.159.98 source: 212.47.239.73
 -- This data has been truncated because it was too long
--





Have any of you had this sort of problem? I'm having difficulty determining
if this log information represents a normal exit relay ocurrence or if my
server has been compromised... What could i do in order to solve this?

Thank you all,

Tanous
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Kurt Besig]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/30/2014 9:01 PM, I wrote:
 The original point has drifted over the horizon.
 
 I asked what could be done, in my case, to stop SSH attacks
 originating FROM my VPS which is running as an exit. There was
 another VPS emanating SQL injection attacks.
 
 The problem is that volunteering a cheap VPS to run as a Tor relay
 or exit is a very fickle process. The VPS businesses don't waste
 time on anything to do with them. Their reaction is nearly always
 absolute.
 
 It would be smart for the Tor society to approach that situation
 with guidance for ordinary people to successfully get another exit
 or relay running most of which would have to be on VPSs to get the
 speed and volume.  I know there are bits and piecs on this subject
 but they are not a coherent guide for ordinary people.
 
 Robert
 
 
 
 
 ___ tor-relays mailing
 list tor-relays@lists.torproject.org 
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
 
Your points are well taken, Robert. I'm a relative newcomer to running
a relay so unfortunately don't have the answers you seek, however I'm
in agreement that more help and less bashing is in order if the
bashers want to keep Tor alive../mini-rant
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTYlFoAAoJEJQqkaGlFNDPaH0IALEBZd4RgcvdJt1z4HnyIYIk
Imw71M+WUyg88wr/DDS8JBRrjw0SXIcgGiMn+fGm4xVHyAqumFcxukupWCrozqPt
YI1M/pcmgl5ZBgjFidOAxKYDBk7mfQ+qkBL9fCg7XsHNJZVnppxisQMADN6T3PhZ
l8HntabRSm0fH/cRJYVaCrsAoLxclChA/N179sEa19U1gyCbftpxwi4UzdY5Ttbn
z25eKgNSFwtYz4DEFkf9MB5MLzDjbXiV/RG6gghHUvBzjCabV4DCM9zlwXBEv8Sr
dG1As2GIgLz6dIs6KaDTHdd03xbxOqzps072JW83mJ8tZl7RSkbEZeErLTOpT2s=
=H+C/
-END PGP SIGNATURE-

---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[I]

Kurt Besig wrote
 
 Your points are well taken, Robert. I'm a relative newcomer to running
 a relay so unfortunately don't have the answers you seek, however I'm
 in agreement that more help and less bashing is in order if the
 bashers want to keep Tor alive../mini-rant

Thanks Kurt.


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Delton Barnes]

grarpamp:
 The servers aren't the one's that shouldn't be online, it's their idiot
 operators who think SSH's DEFAULT SCREAMING ABOUT DENIED
 HACK ATTEMPTS in the logs is some kind of important, and then go
 reporting it to every place they can think of, each of those places staffed
 by more clueless idiots, etc. Grow up people, quit whining about ssh
 and learn to admin. Meanwhile, Theo laughs heartily at everyone.

Often, SSH brute-force login attempts come directly from compromised
machines, not Tor exit nodes.  Reporting such attacks helps
administrators realize a machine is compromised, which is a good thing.
 It could be helping protect the privacy of someone whose machine is
compromised.

I'd suggest the problem is administrators treating a Tor exit node the
same as a compromised machine.  If the goal of an administrator is to
eliminate SSH attacks emanating from Tor, they should simply block port
22 connections from Tor exit nodes.

It is a bit cynical or defeatist, I think, to say There are a lot of
these attacks, so administrators should have to just accept them.  If
you see someone attempting to break into cars, do you report it, or do
you say There are so many car thefts in the world, what's the point?

Delton
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[grarpamp]

On Wed, Apr 30, 2014 at 2:14 PM, Delton Barnes delton.bar...@mail.ru wrote:

 I'd suggest the problem is administrators treating a Tor exit node the
 same as a compromised machine.

Sure, and it's part of the sometimes improper administrivia kneejerk
response. And the SCREAMING involved with this one certainly incites
an unbalanced response upon the less experienced/knowledgeable.

 these attacks, so administrators should have to just accept them.

The operator of agnostic midpoint carriage services / relay is different
than the ISP of the following two machines, and different than the
targeted machine, or the attacking machine. Each has different rules
of play available to them, with the midpoint carrier likely having least
duty among them to do anything. It's not as if blocking exit:22 to the
reporter's machine is going to do anything useful on their end given
the rest of the internet they're open to, but if you want to appease them
and your upstream, feel free. I wouldn't, but to each their own relay policy :)
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[I]

The original point has drifted over the horizon.

I asked what could be done, in my case, to stop SSH attacks originating FROM my 
VPS which is running as an exit.
There was another VPS emanating SQL injection attacks.

The problem is that volunteering a cheap VPS to run as a Tor relay or exit is a 
very fickle process.
The VPS businesses don't waste time on anything to do with them. Their reaction 
is nearly always absolute.

It would be smart for the Tor society to approach that situation with guidance 
for ordinary people to successfully get another exit or relay running most of 
which would have to be on VPSs to get the speed and volume.  I know there are 
bits and piecs on this subject but they are not a coherent guide for ordinary 
people.

Robert




___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[grarpamp]

On Mon, Apr 28, 2014 at 11:23 PM, Michael Wolf mikew...@riseup.net wrote:
 On 4/28/2014 10:04 PM, Zack Weinberg wrote:
 For what it's worth, after complaints from campus IT we also wound up
 blocking SSH in the CMU Tor exit's policy.

Sounds like IT is conflicted and sans balls... permits relay service,
but well, doesn't. Good that you can run one, but if they're
whacking you for denied stuff, plan on moving soon when they
get real complaints.

 people do sysadmin stuff and whatnot anonymously

Not just for anonymous... the value to real sysadmins daily of a
TCP enabled IP for testing from anywhere in the world is huge.

 I  think if a server is
 so threatened by a port scan that it invokes a human response, that
 server probably shouldn't be online.
 /rant

The servers aren't the one's that shouldn't be online, it's their idiot
operators who think SSH's DEFAULT SCREAMING ABOUT DENIED
HACK ATTEMPTS in the logs is some kind of important, and then go
reporting it to every place they can think of, each of those places staffed
by more clueless idiots, etc. Grow up people, quit whining about ssh
and learn to admin. Meanwhile, Theo laughs heartily at everyone.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Scott Bennett]

I beatthebasta...@inbox.com wrote:

 What do you suggest I missed in the documentation?

 Exit policies.  I wrote that in my earlier message.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at sdf.org   *or*   bennett at freeshell.org   *
**
* A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army.   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Ed Carter]

Robert,

There is some good advice for exit relay operators on the Tor website that
might be helpful.  Included are templates you can use for responding to
abuse complaints received by your ISP.

https://trac.torproject.org/projects/tor/wiki//doc/TorExitGuidelines

https://blog.torproject.org/running-exit-node

https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates


 Mike,

 Yes but the goal is to have more relays, exits and bridges and if
 commercial server operators are very low on spine we have to keep them
 onside carefully.

 I have just been kicked of another one after paying a year in advance.
 If we have no authoritative retort when they raise the first 'abuse' most
 of them take the lazy course and bar Tor.\
 When I have said the restricted port list can be added and it has proved
 to be successful some have given me another chance.
 If SSH is open and their server is being used to attack others of course
 they will react defensively.
 So any advice to be proactive and increase the chance of one part of the
 Tor system surviving is advice I want to hear.

 Robert


 For what it's worth, after complaints from campus IT we also wound up
 blocking SSH in the CMU Tor exit's policy.  It's a shame we can't help
 people do sysadmin stuff and whatnot anonymously, but the port scans
 do seem to happen quite often.

 zw

 The silly thing is that port scans happen hundreds of times per day to
 every internet-connected device, and Tor isn't involved in the vast
 majority of it.  Not a single server on the 'net is made more secure by
 an exit node blocking a port.  Will they request that port 80 be blocked
 because of the SQL injection and Wordpress vulnerability scans?  Or that
 IMAP and FTP ports be blocked for attempts to brute force logins?  Any
 open port has the potential for abuse -- blocking ports doesn't seem
 like a very well thought-out response to the issue.

 The time people spend complaining to exit node operators would be much
 better spent performing any number of simple changes that would
 /actually/ improve security for the server(s).  I  think if a server is
 so threatened by a port scan that it invokes a human response, that
 server probably shouldn't be online.

 /rant



 ___
 tor-relays mailing list
 tor-relays@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Nicolas Christin]

On Tue Apr 29, 2014, grarpamp grarp...@gmail.com wrote:
  On 4/28/2014 10:04 PM, Zack Weinberg wrote:
  For what it's worth, after complaints from campus IT we also wound up
  blocking SSH in the CMU Tor exit's policy.
 
 Sounds like IT is conflicted and sans balls... permits relay service,
 but well, doesn't. Good that you can run one, but if they're
 whacking you for denied stuff, plan on moving soon when they
 get real complaints.

No. You are confusing university campuses with commercial providers,
from which, as a customer, you are entitled to certain things per
contract. 

In that specific instance, campus IT have been extremely good sports
about us running a Tor exit on our campus. They could have simply said
no; instead, they're willing to support this. I think that is
admirable: They have no incentive to do this other than an altruistic
willingness to support research in that sphere. Not to put too fine a
point on it, as a faculty, I pay overhead on research grants whether or
not campus IT is kind to me.

Campus IT is understandably not, however, willing to spend an inordinate
amount of time dealing with complaints from clueless third parties.
SSH port scanning occurs unfortunately often enough it became a pretty
big burden on them to deal with repeated emails from victims. Our
research group does not have the cycles to deal with these complaints
either---and even if we did, I doubt we would have the authority to
speak on behalf of the university.

So, given the choice between not operating an exit, and operating an
exit without port 22 to avoid overburdening with red tape people who,
once again, have been really good to us, what would you pick?

 The servers aren't the one's that shouldn't be online, it's their idiot
 operators who think SSH's DEFAULT SCREAMING ABOUT DENIED
 HACK ATTEMPTS in the logs is some kind of important, and then go
 reporting it to every place they can think of, each of those places staffed
 by more clueless idiots, etc. 

The level of intelligence of the people that receive these complaints
is irrelevant. However competent you may be, if you get oodles of
complaints every single day, for something that you are doing as a favor
to somebody else, you will throw in the towel.

Best regards, 
Nicolas
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[grarpamp]

On Tue, Apr 29, 2014 at 5:26 PM, Nicolas Christin
nicol...@andrew.cmu.edu wrote:
 The level of intelligence of the people that receive these complaints
 is irrelevant.

It is, in fact, entirely relevant. Clueless recipients (and their upstream)
leads directly to improper kneejerk responses, such as pull the project.
Whereas if people had a clue they'd realize this particular issue
is nothing but background noise and file it in the bin.

 However competent you may be, if you get oodles of
 complaints every single day, for something that you are doing as a favor
 to somebody else, you will throw in the towel.

 once again, have been really good to us, what would you pick?

I've been party to large environments (RE included) where boilerplate
complaints resulted in automated canned responses, or were simply
filed in the archive to be expired later. A few hours of existing
work-study student time to process a days lot, fully supported by
high ups.

It comes down to volume, severity, tools, responsibility and
clue. If you don't have any of the latter four, sure, any amount
of the first will kill you.

Being in a good environment for such things also helps too.
Unfortunately that is probably not the majority of them.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] SSH scans from Tor exit

[I]

One VPS company has just asserted that SSH scans are being run from my Tor exit rather than another process on the VPS.Is this happening to anyone else?Does anyone know what can be done to stop it?Robert



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[s...@sky-ip.org]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 4/29/2014 1:31 AM, I wrote:
 One VPS company has just asserted that SSH scans are being run from
 my Tor exit rather than another process on the VPS. Is this
 happening to anyone else? Does anyone know what can be done to stop
 it?
 
 Robert
 
 
 ___ tor-relays mailing
 list tor-relays@lists.torproject.org 
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
 


Could you explain with more details? Your question is not totally clear.

If your VPS is being SSH brute forced there are many ways to protect:
- - make hostbased authentication or use keys instead of password-based
authentication
- - install fail2ban to ban IPs after x wrong passwords
- - make sure you put a very strong password, seriously
- - disable root login via ssh
- - if you have a VPS made with KVM you can disable SSH access at all
and use the javaconsole from the VPS panel?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBCAAGBQJTXtqcAAoJEIN/pSyBJlsRyu4IAMsD1fsZeqZsMuQhCgQ2bDfW
M6rSKQjjCDXbI37W6w153rEZkSrA6cxh40t7PkcyhuWDXSSZTi/CfY2r5AzRNBxk
CKNrKioPVU28PETqJLo/8aOcmRFVZAgUYXpUwDnMCqOOW7Lun71UOzgAbyNdcOaa
ogECDzC92lkrGvN7ofy64NeBnyZ82DysNBUss1BxQ1bX5prnlSznY/0OgxYsBwsS
UCFCZ3tmcf905b7esibYinwtLlXG9Oc8PdTaBH+JV64s+m+J5DTLK6zRqDiaIpDJ
TqOQF3ALAYijDvJ+eO5JHY0whqMAWDFC6pRBDyAsok9D5AA1bkJtEXlFPe/8NLM=
=UukK
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Scott Bennett]

s...@sky-ip.org s...@sky-ip.org wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 On 4/29/2014 1:31 AM, I wrote:
  One VPS company has just asserted that SSH scans are being run from
  my Tor exit rather than another process on the VPS. Is this
  happening to anyone else? Does anyone know what can be done to stop
  it?
  
  Robert
  
  
  ___ tor-relays mailing
  list tor-relays@lists.torproject.org 
  https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
  


 Could you explain with more details? Your question is not totally clear.

 I thought his question was very clear.

 If your VPS is being SSH brute forced there are many ways to protect:
 - - make hostbased authentication or use keys instead of password-based
 authentication
 - - install fail2ban to ban IPs after x wrong passwords
 - - make sure you put a very strong password, seriously
 - - disable root login via ssh
 - - if you have a VPS made with KVM you can disable SSH access at all
 and use the javaconsole from the VPS panel?

 He stated that a VPS company (I've quoted his statement above yours,
so please go back ad read it again) complained that the attacks were
emanating *from his tor exit*.  The VPS company is very unlikely to be
moved by your suggestions.
The second matter that was clear was that he has been running a tor
relay without having read the documentation.  If he wants to restrict what
exits from his node, then he needs to read about exit policies in
particular, but he also ought to read the rest of the documentation as well.
 More generally, people really should not be running an exit in
ignorance.  The tor project has done a commendable job of providing a well
documented product.  The documentation was intended to be read, not ignored,
by those wishing to run tor, whether as a client only or as a relay.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at sdf.org   *or*   bennett at freeshell.org   *
**
* A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army.   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[I]

I first thought that the numerous complaints of my VPS being the source of the 
SSH (outgoing) attacks was that I hadn't done the things you suggested below 
and been 'hacked' but now one VPS business has looked at the VPS processes and 
said it must be coming out of Tor as I run an exit.

So I am asking whether this is rare or am I not doing something which others 
are doing?
Is it just a matter of removing SSH from the already long list of port 
limitations?

Robert
 
 Could you explain with more details? Your question is not totally clear.
 
 If your VPS is being SSH brute forced there are many ways to protect:
 - - make hostbased authentication or use keys instead of password-based
 authentication
 - - install fail2ban to ban IPs after x wrong passwords
 - - make sure you put a very strong password, seriously
 - - disable root login via ssh
 - - if you have a VPS made with KVM you can disable SSH access at all
 and use the javaconsole from the VPS panel?


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[I]

Scott,

What do you suggest I missed in the documentation?

Robert



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Zack Weinberg]

For what it's worth, after complaints from campus IT we also wound up
blocking SSH in the CMU Tor exit's policy.  It's a shame we can't help
people do sysadmin stuff and whatnot anonymously, but the port scans
do seem to happen quite often.

zw
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[Michael Wolf]

On 4/28/2014 10:04 PM, Zack Weinberg wrote:
 For what it's worth, after complaints from campus IT we also wound up
 blocking SSH in the CMU Tor exit's policy.  It's a shame we can't help
 people do sysadmin stuff and whatnot anonymously, but the port scans
 do seem to happen quite often.
 
 zw

The silly thing is that port scans happen hundreds of times per day to
every internet-connected device, and Tor isn't involved in the vast
majority of it.  Not a single server on the 'net is made more secure by
an exit node blocking a port.  Will they request that port 80 be blocked
because of the SQL injection and Wordpress vulnerability scans?  Or that
IMAP and FTP ports be blocked for attempts to brute force logins?  Any
open port has the potential for abuse -- blocking ports doesn't seem
like a very well thought-out response to the issue.

The time people spend complaining to exit node operators would be much
better spent performing any number of simple changes that would
/actually/ improve security for the server(s).  I  think if a server is
so threatened by a port scan that it invokes a human response, that
server probably shouldn't be online.

/rant

-- Mike
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

[I]

Mike,

Yes but the goal is to have more relays, exits and bridges and if commercial 
server operators are very low on spine we have to keep them onside carefully.

I have just been kicked of another one after paying a year in advance.  
If we have no authoritative retort when they raise the first 'abuse' most of 
them take the lazy course and bar Tor.\
When I have said the restricted port list can be added and it has proved to be 
successful some have given me another chance.
If SSH is open and their server is being used to attack others of course they 
will react defensively.
So any advice to be proactive and increase the chance of one part of the Tor 
system surviving is advice I want to hear.

Robert


 For what it's worth, after complaints from campus IT we also wound up
 blocking SSH in the CMU Tor exit's policy.  It's a shame we can't help
 people do sysadmin stuff and whatnot anonymously, but the port scans
 do seem to happen quite often.
 
 zw
 
 The silly thing is that port scans happen hundreds of times per day to
 every internet-connected device, and Tor isn't involved in the vast
 majority of it.  Not a single server on the 'net is made more secure by
 an exit node blocking a port.  Will they request that port 80 be blocked
 because of the SQL injection and Wordpress vulnerability scans?  Or that
 IMAP and FTP ports be blocked for attempts to brute force logins?  Any
 open port has the potential for abuse -- blocking ports doesn't seem
 like a very well thought-out response to the issue.
 
 The time people spend complaining to exit node operators would be much
 better spent performing any number of simple changes that would
 /actually/ improve security for the server(s).  I  think if a server is
 so threatened by a port scan that it invokes a human response, that
 server probably shouldn't be online.
 
 /rant
 


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays