Re: [tor-relays] ssh request from Virgin Media (Liberty Global)

Apr 5, 2021, 10:34 by cristiano...@gmail.com: > I have a Relay and a Bridge up and running with ssh password disabled, ssh > port changed and fail2ban installed. > > With that I noticed that one particular IP was trying to ssh my both machines > and that IP belongs to Liberty Global, an

Re: [tor-relays] ssh request from Virgin Media (Liberty Global)

It might not belong to Liberty Global itself even though it was registered as such but to one of their subsidiaries, likely Virgin Media or Vodafone. Random SSH probes happen very frequently, it's nothing to worry about if you deny root login, force public key (Ed25519 if your version of sshd

Re: [tor-relays] ssh request from Virgin Media (Liberty Global)

Surely it is one of their customers….. From: tor-relays On Behalf Of Cristiano Kubiaki Gomes Sent: 05 April 2021 16:34 To: tor-relays@lists.torproject.org Subject: [tor-relays] ssh request from Virgin Media (Liberty Global) I have a Relay and a Bridge up and running with ssh password

[tor-relays] ssh request from Virgin Media (Liberty Global)

I have a Relay and a Bridge up and running with ssh password disabled, ssh port changed and fail2ban installed. With that I noticed that one particular IP was trying to ssh my both machines and that IP belongs to Liberty Global, an Anglo-Dutch-American telecommunication company which is owner of

Re: [tor-relays] SSH

On 9/21/20 7:52 AM, Logforme wrote: On 2020-09-21 11:19:20, "Андрей Гвоздев" wrote: Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too? Exposing a SSH server to the internet will get you

Re: [tor-relays] SSH

On 22.09.2020 20:34, George wrote: The great secret SSHD security hack that I feel uncomfortable mentioning on a public list is... do SSH over IPv6 if you can. Seems like the bots haven't caught up to that yet. ;-) Yeah, only 1 or 2 attempts/YEAR over IPv6 and thats a research project from

Re: [tor-relays] SSH

breaking the top-post > Hello > I'm running a TOR relay, every time I SSH to my server I see a message > that there were thousands of failed login attempts > Do you see this message too? This is one of those issues that you figure out your own preferred method over time as you run public

Re: [tor-relays] SSH

Hello again, if you setup Fail2ban or similar, please make sure it does not send out abuse emails, Fail2ban-Spam or similar is alot of work for Tor Exit operators. Regards yl On 9/21/20 11:19 AM, Андрей Гвоздев wrote: > Hello > I'm running a TOR relay, every time I SSH to my server I see a

Re: [tor-relays] SSH

password it stops the kiddies/robots from trying anymore. Gerry -Original Message- From: tor-relays On Behalf Of Toralf Förster Sent: 21 September 2020 14:53 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] SSH On 9/21/20 1:52 PM, Logforme wrote: > Change the

Re: [tor-relays] SSH

Try setting it so it bans after 3 failed attempts On Mon, Sep 21, 2020, 7:53 AM Toralf Förster wrote: > On 9/21/20 1:52 PM, Logforme wrote: > > Change the SSH default port. > AFAICT that helped but only fore a while. > After few weeks/months the non-default port is discovered by (a probably >

Re: [tor-relays] SSH

On 9/21/20 1:52 PM, Logforme wrote: > Change the SSH default port. AFAICT that helped but only fore a while. After few weeks/months the non-default port is discovered by (a probably more extensible port scan) and the failed login attempts continued. -- Toralf signature.asc Description:

Re: [tor-relays] SSH

Андрей Гвоздев wrote on 9/21/20 11:19 AM: > Hello > I'm running a TOR relay, every time I SSH to my server I see a message > that there were thousands of failed login attempts > Do you see this message too? Plenty, don't worry. Any IP with the ssh port open is targeted. Make sure you keep your

Re: [tor-relays] SSH

On 21.09.2020 11:19, Андрей Гвоздев wrote: Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too? Maybe my step by step instructions can help. Ignore the PIVX stuff.

Re: [tor-relays] SSH

On 9/21/20 12:19 PM, Андрей Гвоздев wrote: > Hello > I'm running a TOR relay, every time I SSH to my server I see a message > that there were thousands of failed login attempts > Do you see this message too? That is normal for any outwardly facing SSH server, Tor or not. The established best

Re: [tor-relays] SSH

On 2020-09-21 11:19:20, "Андрей Гвоздев" wrote: Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too? Exposing a SSH server to the internet will get you lots of login attempts. Here are

Re: [tor-relays] SSH

On 9/21/20 11:19 AM, Андрей Гвоздев wrote: > I'm running a TOR relay, every time I SSH to my server I see a message > that there were thousands of failed login attempts > Do you see this message too? I think this is quite normal, for any server, if you do not run any service that blocks IPs

[tor-relays] SSH

Hello I'm running a TOR relay, every time I SSH to my server I see a message that there were thousands of failed login attempts Do you see this message too? ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

I've taken to contacting the sender of the automated abuse reports and noting that sending such emails may actually not be legal (at least in the US) under CAN-SPAM. In some cases I've seen positive response as people aren't even aware their random server with fail2ban is sending these things.

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

Hi, > On 30 Aug 2019, at 09:26, AMuse wrote: > > I have SSH open as an exit port on a TOR exit that my friends and I are > maintaining - and of course it's the #1 offender by far in automated abuse > notifications we get from our ISP, from peoples' fail2ban servers sending > abuse emails.

[tor-relays] SSH scanning on TOR Exit - Nerfing Rules

Hi all! I'm curious what y'all think of this situation. I have SSH open as an exit port on a TOR exit that my friends and I are maintaining - and of course it's the #1 offender by far in automated abuse notifications we get from our ISP, from peoples' fail2ban servers sending abuse emails. This

Re: [tor-relays] SSH login attempts

> Using an obscure port only prevents attempts being logged, nothing else. And if you’re going to use an alternate port, pick one under 1024. Make it so an attacker needs to be root before they replace your sshd process. If you take that approach, make sure you are using a hardware firewall

Re: [tor-relays] SSH login attempts

Hello Marcus, On an ongoing basis, most of my relays get up to 4000 attempts each day.  It's standard practice I guess!  Many, many are from just a few IP addresses.  The rest are just a few per IP address. Occasionally, I will go beyond the fail2ban "ban" and block an IP address in iptables 

Re: [tor-relays] SSH login attempts

On Tue, 4 Sep 2018 18:44:55 +0100 wrote: > Waste of time move SSH port? My fail2ban has hardly anything to do since > moving port some time back Yes, it is. And you might as well remove fail2ban altogether if you simply have key-based auth and disable passwords. -- With respect, Roman

Re: [tor-relays] SSH login attempts

. Gerry -Original Message- From: tor-relays On Behalf Of Michael Brodhead Sent: 04 September 2018 18:36 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] SSH login attempts FWIW I found sshguard easier to deal with on FreeBSD than fail2ban. Turn off password logins and take

Re: [tor-relays] SSH login attempts

FWIW I found sshguard easier to deal with on FreeBSD than fail2ban. Turn off password logins and take good care of your ssh keys. Moving sshd to a different port is a waste of time but harmless if you’re the only administrator. —mkb > On Sep 4, 2018, at 5:35 AM, Marcus Wahle wrote: > >

Re: [tor-relays] SSH login attempts

> On Sep 4, 2018, at 9:06 AM, Ralph Seichter wrote: > > On 04.09.2018 14:44, Sean Brown wrote: > >> Using an obscure port only prevents attempts being logged, nothing >> else. > > I cannot agree with that. What an sshd logs is not determined by the > port number it is listening on, and the

Re: [tor-relays] SSH login attempts

On 04.09.2018 14:44, Sean Brown wrote: > Using an obscure port only prevents attempts being logged, nothing > else. I cannot agree with that. What an sshd logs is not determined by the port number it is listening on, and the quantity of failed login attempts across my servers is measurably lower

Re: [tor-relays] SSH login attempts

On 09/04/2018 03:41 PM, Marcus wrote: > Thanks Paul, > I use fai2ban, but this amount of failed logins is new to me. > Marcus The failed logins are business as usual. If the machine is on the net, then bots will find it no matter where it is or which port it listens on. But they usually move on

Re: [tor-relays] SSH login attempts

On Sep 4, 2018, at 8:40 AM, Natus wrote: > >> Use some tool like fail2ban and/or ssh key authentication. > > Also change the default port of your ssh endpoint (eg: ) > > Using an obscure port only prevents attempts being logged, nothing else. And if you’re going to use an alternate

Re: [tor-relays] SSH login attempts

Marcus Wahle: > Since 14:00 my logs (middle node) are spamed with around 100 faild > ssh login attemps from different ips. Is there anybody else > affected? I'd say that is business as usual and not much to worry about if you use strong authentication -- https://twitter.com/nusenu_

Re: [tor-relays] SSH login attempts

Thanks Paul, I use fai2ban, but this amount of failed logins is new to me. Marcus -- Mein öffentliches Zertifikat finden Sie unter: https://web.tresorit.com/l#tDLNPX-QlTRTcpMEqRRSng Am 04.09.2018 um 14:38 schrieb Paul Templeton : >> Since 14:00 my logs (middle node) are spamed with around 100

Re: [tor-relays] SSH login attempts

ssh key authentication. and an obscure port ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH login attempts

> Use some tool like fail2ban and/or ssh key authentication. Also change the default port of your ssh endpoint (eg: ) -- regards, natus ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] SSH login attempts

> Since 14:00 my logs (middle node) are spamed with around 100 faild > ssh login attemps from different ips. > Is there anybody else affected? Yes - it's constant 3-5 attempts per second - that's normal. Use some tool like fail2ban and/or ssh key authentication. Paul

[tor-relays] SSH login attempts

Dear all, Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips. Is there anybody else affected? Best regards Marcus ___ tor-relays mailing list tor-relays@lists.torproject.org

Re: [tor-relays] SSH Bruteforce Attempts

Thank you all for replying, I will answer the notification with the template mentioned by Rejo and include the link for ExoneraTor recommended by Jon. Best Regards, Tanous 2017-10-04 11:34 GMT-03:00 Jonathan Proulx : > Here's my version of the same: > > Hello, > > The

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address > On 4 Oct 2017, at 02:26, Igor Mitrofanov <igor.n.mitrofa...@gmail.com> wrote: > > I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

still have no response on what triggered that so can't provide any more detail, just eventually went away on it's own. -Jon : :regards, Robin : :- Original message - :From: Fr33d0m4all <fr33d0m4...@riseup.net> :To: tor-relays@lists.torproject.org :Subject: [tor-relays] SSH brut

Re: [tor-relays] SSH Bruteforce Attempts

Here's my version of the same: Hello, The source address 128.52.128.105 is a Tor exit node, and is not the origin point for the traffic in question. See http://tor-exit.csail.mit.edu (which is the host in your logs) for details. Any action taken on this node would simply result in the problem

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

relays@lists.torproject.org Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address Date: Wed, 4 Oct 2017 08:02:55 +0200 Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

> On 4 Oct 2017, at 02:26, Igor Mitrofanov wrote: > > I have setup a (private, key-based) Tor hidden service for SSH > administration. It works well and leaves no extra open ports to attack. > > If you also take advantage of package updates over Tor (via the local

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

Hi, could it help to use ||iptables to limit to 3 attempts per minute, or to use Fail2ban? Regards Tom On 10/04/2017 01:07 PM, Martin Møller Skarbiniks Pedersen wrote: > On 4 October 2017 at 08:41, Fr33d0m4all > wrote: > > > > I know, I

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

On 4 October 2017 at 08:41, Fr33d0m4all wrote: > > I know, I know about how internet works :) I’ve just simply noted a large increase in SSH brute force attempts in the last two weeks. BTW I don’t have root login enabled and I have two factor authentication on my SSH port

Re: [tor-relays] SSH Bruteforce Attempts

Hey, Yes, I do more or less the same. If the complaint is sent using some automated system, I "do nothing." If the complaint is sent by a human, I'll answer them with a template, see below. If there is a followup response to that, I'll do some more explaining, oftentimes pointing them at the

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

El 04/10/17 a las 08:41, Fr33d0m4all escribió: > I know, I know about how internet works :) I’ve just simply noted a large > increase in SSH brute force attempts in the last two weeks. BTW I don’t have > root login enabled and I have two factor authentication on my SSH port (not > standard),

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

I know, I know about how internet works :) I’ve just simply noted a large increase in SSH brute force attempts in the last two weeks. BTW I don’t have root login enabled and I have two factor authentication on my SSH port (not standard), which is enabled only for a single low privileges user,

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

On October 3, 2017 11:02:55 PM PDT, Fr33d0m4all wrote: >Hi, >My Tor middle relay public IP address is victim of SSH brute force >connections’ attempts and the attack is going on since two weeks ago. >It’s not a problem, the server that is listening with SSH on the same >IP

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

Original Message On 4 Oct 2017, 07:02, Fr33d0m4all wrote: Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts Welcome to the Internet! Any Internet connected machine will be port scanned, vuln probed, brute forced, blindly hit with

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

Message- From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf Of Fr33d0m4all Sent: Tuesday, October 3, 2017 11:03 PM To: tor-relays@lists.torproject.org Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address Hi, My Tor middle relay public IP

[tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with

Re: [tor-relays] SSH Bruteforce Attempts

> On 3 Oct 2017, at 22:35, tanous .c wrote: > > Have any of you had this sort of problem? I'm having difficulty determining > if this log information represents a normal exit relay ocurrence or if my > server has been compromised... What could i do in order to solve this?

[tor-relays] SSH Bruteforce Attempts

Hi, I have been running one tor exit relay for about 51 days and i recently got this abuse report: Good afternoon, Your Ip address (212.47.239.73) has been reported to us by profihost because it seems to have attempted to bruteforce. Thank you to take the necessary action as soon as possible.

Re: [tor-relays] SSH scans from Tor exit

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/30/2014 9:01 PM, I wrote: The original point has drifted over the horizon. I asked what could be done, in my case, to stop SSH attacks originating FROM my VPS which is running as an exit. There was another VPS emanating SQL injection

Re: [tor-relays] SSH scans from Tor exit

Kurt Besig wrote Your points are well taken, Robert. I'm a relative newcomer to running a relay so unfortunately don't have the answers you seek, however I'm in agreement that more help and less bashing is in order if the bashers want to keep Tor alive../mini-rant Thanks Kurt.

Re: [tor-relays] SSH scans from Tor exit

grarpamp: The servers aren't the one's that shouldn't be online, it's their idiot operators who think SSH's DEFAULT SCREAMING ABOUT DENIED HACK ATTEMPTS in the logs is some kind of important, and then go reporting it to every place they can think of, each of those places staffed by more

Re: [tor-relays] SSH scans from Tor exit

On Wed, Apr 30, 2014 at 2:14 PM, Delton Barnes delton.bar...@mail.ru wrote: I'd suggest the problem is administrators treating a Tor exit node the same as a compromised machine. Sure, and it's part of the sometimes improper administrivia kneejerk response. And the SCREAMING involved with this

Re: [tor-relays] SSH scans from Tor exit

The original point has drifted over the horizon. I asked what could be done, in my case, to stop SSH attacks originating FROM my VPS which is running as an exit. There was another VPS emanating SQL injection attacks. The problem is that volunteering a cheap VPS to run as a Tor relay or exit is

Re: [tor-relays] SSH scans from Tor exit

On Mon, Apr 28, 2014 at 11:23 PM, Michael Wolf mikew...@riseup.net wrote: On 4/28/2014 10:04 PM, Zack Weinberg wrote: For what it's worth, after complaints from campus IT we also wound up blocking SSH in the CMU Tor exit's policy. Sounds like IT is conflicted and sans balls... permits relay

Re: [tor-relays] SSH scans from Tor exit

I beatthebasta...@inbox.com wrote: What do you suggest I missed in the documentation? Exit policies. I wrote that in my earlier message. Scott Bennett, Comm. ASMELG, CFIAG ** *

Re: [tor-relays] SSH scans from Tor exit

Robert, There is some good advice for exit relay operators on the Tor website that might be helpful. Included are templates you can use for responding to abuse complaints received by your ISP. https://trac.torproject.org/projects/tor/wiki//doc/TorExitGuidelines

Re: [tor-relays] SSH scans from Tor exit

On Tue Apr 29, 2014, grarpamp grarp...@gmail.com wrote: On 4/28/2014 10:04 PM, Zack Weinberg wrote: For what it's worth, after complaints from campus IT we also wound up blocking SSH in the CMU Tor exit's policy. Sounds like IT is conflicted and sans balls... permits relay service, but

Re: [tor-relays] SSH scans from Tor exit

On Tue, Apr 29, 2014 at 5:26 PM, Nicolas Christin nicol...@andrew.cmu.edu wrote: The level of intelligence of the people that receive these complaints is irrelevant. It is, in fact, entirely relevant. Clueless recipients (and their upstream) leads directly to improper kneejerk responses, such

[tor-relays] SSH scans from Tor exit

One VPS company has just asserted that SSH scans are being run from my Tor exit rather than another process on the VPS.Is this happening to anyone else?Does anyone know what can be done to stop it?Robert ___ tor-relays mailing list

Re: [tor-relays] SSH scans from Tor exit

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 4/29/2014 1:31 AM, I wrote: One VPS company has just asserted that SSH scans are being run from my Tor exit rather than another process on the VPS. Is this happening to anyone else? Does anyone know what can be done to stop it? Robert

Re: [tor-relays] SSH scans from Tor exit

s...@sky-ip.org s...@sky-ip.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 4/29/2014 1:31 AM, I wrote: One VPS company has just asserted that SSH scans are being run from my Tor exit rather than another process on the VPS. Is this happening to anyone else? Does anyone

Re: [tor-relays] SSH scans from Tor exit

I first thought that the numerous complaints of my VPS being the source of the SSH (outgoing) attacks was that I hadn't done the things you suggested below and been 'hacked' but now one VPS business has looked at the VPS processes and said it must be coming out of Tor as I run an exit. So I am

Re: [tor-relays] SSH scans from Tor exit

Scott, What do you suggest I missed in the documentation? Robert ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scans from Tor exit

For what it's worth, after complaints from campus IT we also wound up blocking SSH in the CMU Tor exit's policy. It's a shame we can't help people do sysadmin stuff and whatnot anonymously, but the port scans do seem to happen quite often. zw ___

Re: [tor-relays] SSH scans from Tor exit

On 4/28/2014 10:04 PM, Zack Weinberg wrote: For what it's worth, after complaints from campus IT we also wound up blocking SSH in the CMU Tor exit's policy. It's a shame we can't help people do sysadmin stuff and whatnot anonymously, but the port scans do seem to happen quite often. zw

Re: [tor-relays] SSH scans from Tor exit

Mike, Yes but the goal is to have more relays, exits and bridges and if commercial server operators are very low on spine we have to keep them onside carefully. I have just been kicked of another one after paying a year in advance. If we have no authoritative retort when they raise the first