Re: [tor-relays] AU Relays and data retention

[Paul Templeton]

Thanx Teor,

I did speak to a lawyer and there is no requirement to retain any data if you 
run a node. It's treated as a VPN.

My question that I sent was more about whether a service (non commercial 
service) was exempt.
They don't delineate.

Paul
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Feedback wanted: letter to my university's library

[Kenneth Freeman]

On 10/03/2017 11:31 PM, Scott Bennett wrote:

>  They have refused to let me speak with those making the decisions about
> what is provided on their public computers, much less to make an organized
> presentation to them.  I was told that the decisions about software on the
> computers are made by the library board, not even by the IT staff.  What is
> a good approach to get better results?  I am at a loss as to how to get the
> library to emerge from the stone age into the age of the Cheka, much less
> that of the NSA, FSB, search engine profilers, botnets, packet sniffers,
> spyware, etc.

One might think that providing the Tor browser would be a no-brainer,
but that's not the case in the Boise Public Library system. The
bureaucratic inertia is a very real thing, so good luck getting them to
install relays and exits too! First things first.



0xDD79757F.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] AU Relays and data retention

[teor]

> On 4 Oct 2017, at 22:52, teor  wrote:
> 
> But I'm not a lawyer, so you should get your own lawyer.
> Or run a relay outside Australia.

Or run an exit, because exits never know client IP addresses.
All they know is the destination. And internet destinations are
excluded from Australia's retention regime.

T
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] AU Relays and data retention

[teor]

> On 4 Oct 2017, at 20:02, Paul Templeton  wrote:
> 
> The extent of data retention obligations for your relevant service would 
> relate to the extent to which elements of the data set “visible” to you. For 
> example, where a provider does not have “visibility” of a customer’s IP 
> address, it is likely that the IP address was assigned as part of a different 
> relevant service.
> For example, if you have a record of the MAC addresses of users who access 
> your network then this information must be retained for the required period.  
> You are not obliged to retain the identity of the user if this is not 
> information to which you have access.

Tor Guards have access to client IP addresses.
So I'm not sure if you gave inaccurate information to the department,
or they misunderstood what you said.

But, even if you know the client IP address, you may be exempt under
section 4.3 of the FAQs, because the IP address is allocated by the
client's ISP, and you don't know the destination.

4.3. If provider offers an internet access service, is it required to retain IP 
addresses allocated by other providers?

If the service in question only offers connection to the internet, a service 
provider will not be required to retain IP addresses allocated by other 
providers.

However, if a provider offers an additional OTT service, such as VoIP, it will 
be required to retain the relevant destination communication information.

For example, if a provider operates both an internet access service and an OTT 
service—it will be required to retain destination information only for the OTT 
service.

https://www.ag.gov.au/NationalSecurity/DataRetention/Documents/DataRetentionIndustryFAQS.pdf

But I'm not a lawyer, so you should get your own lawyer.
Or run a relay outside Australia.

T___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH Bruteforce Attempts

[tanous .c]

Thank you all for replying,
I will answer the notification with the template mentioned by Rejo and
include the link for ExoneraTor recommended by Jon.

Best Regards,

Tanous

2017-10-04 11:34 GMT-03:00 Jonathan Proulx :

> Here's my version of the same:
>
> Hello,
>
> The source address 128.52.128.105 is a Tor exit node, and is not the
> origin point for the traffic in question.  See
> http://tor-exit.csail.mit.edu (which is the host in your logs) for
> details.  Any action taken on this node would simply result in the
> problem traffic using a different exit.
>
> For further information please read http://tor-exit.csail.mit.edu/ the
> bottom of this page includes information on how to block all Tor exits
> should you wish to do so (including links to get a list of all current
> Tor exits).
>
> Sincerely,
> The Infrastructure Group
> MIT Computer Science and Artificial Intelligence Laboratory
>
> I recently learned about https://exonerator.torproject.org/ if you
> don't have a large institutional name to hide behind  like I do you
> may want to include that in want ever response you use to lend
> credibility to your exit claim.
>
> -Jon
>
> On Wed, Oct 04, 2017 at 08:26:06AM +0200, Rejo Zenger wrote:
> :Hey,
> :
> :Yes, I do more or less the same. If the complaint is sent using some
> automated system, I "do nothing." If the complaint is sent by a human, I'll
> answer them with a template, see below. If there is a followup response to
> that, I'll do some more explaining, oftentimes pointing them at the block
> lists provided by the Tor Project.
> :
> :Here's the default answer:
> :
> :---
> :
> :Thanks a lot for your notification. The traffic originating from the
> IP-address is traffic from a Tor exit-node. As I am not sure whether you
> are familiar with the Tor network, I would like to provide some explanation.
> :
> :Tor is network software that helps users to enhance their privacy,
> security, and safety online. It does not host any content. Rather, it is
> part of a network of nodes on the Internet that simply pass packets among
> themselves before sending them to their destinations, just as any Internet
> intermediary does. The difference is that Tor tunnels the connections such
> that no hop can learn both the source and destination of the packets,
> giving users protection from nefarious snooping on network traffic. The
> result is that, unlike most other Internet traffic, the final IP address
> that the recipient receives is not the IP address of the sender.
> :
> :I run a Tor node to provide privacy to people who need it most: average
> computer users. Tor sees use by many important segments of the population,
> including whistle blowers, journalists, Chinese dissidents skirting the
> Great Firewall and oppressive censorship, abuse victims, stalker targets,
> the US military, and law enforcement, just to name a few. While Tor is not
> designed for malicious computer users, it is true that they can use the
> network for malicious ends.
> :
> :Of course, the Tor network may be abused by others and apparently this is
> what you are seeing. I am very sorry for this to happen to you. In reality
> however, the actual amount of abuse is quite low. This is largely because
> criminals and hackers have significantly better access to privacy and
> anonymity than do the regular users whom they prey upon. Criminals can and
> do build, sell, and trade far larger and more powerful networks than Tor on
> a daily basis.
> :
> :To avoid any more traffic from this source, you could (temporarily) block
> the IP-address of my Tor exit node. You also have the option of blocking
> all exit nodes on the Tor network if you so desire.  The Tor project
> provides a web service to fetch a list of all IP addresses of Tor exit
> nodes that allow exiting to a specified IP:port combination, and an
> official DNSRBL is also available to determine if a given IP address is
> actually a Tor exit server.
> :
> :---
> :
> :
> :
> :
> :++ 04/10/17 02:44 + - teor:
> :>
> :>> On 3 Oct 2017, at 22:35, tanous .c  wrote:
> :>>
> :>> Have any of you had this sort of problem? I'm having difficulty
> determining if this log information represents a normal exit relay
> ocurrence or if my server has been compromised... What could i do in order
> to solve this?
> :>
> :>Yes, Profihost sent me one recently that looked very similar.
> :>Fortunately, I use OutboundBindAddress, so I knew it was
> :>(very likely to be) exit traffic.
> :>
> :>You can:
> :>* do nothing
> :>* respond and ask for verification that they want your exit
> :>   to block their site, but explain that they need to block
> :>   all Tor Exits for the traffic to stop
> :>* add exit policy entries to block each of the mentioned
> :>   IPs and ports
> :>* block port 22 on your exit
> :>
> :>I'll be doing nothing.
> :>
> :>You should consider your provider's reaction, because they
> :>may want you do something about the complaint, even if
> :>it's something ineffective.
> :>
> 

Re: [tor-relays] Feedback wanted: letter to my university's library

[I]

> -Original Message-
> From: ali...@torproject.org

> Yes, I do a basic training which includes HTTPS, cookies, software
> updates, passwords, and the like. It's both to educate the librarians
> into better practices and to help them teach classes to their patrons.
> That said, my organization has trained thousands of librarians on
> privacy and security issues, and thanks to our work you'll now find Tor
> discussed at major (and minor) library conferences, Tor Browser on
> public computers, libraries teaching privacy classes to their patrons,
> and the like. So I think things are improving.

Really good, Alison.




___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] AU Relays and data retention

[Paul Templeton]

Hi All,

I have asked the Attorney Generals Department about data retention and got the 
following response.

If you run a relay/bridge here you seem to be exempt from retaining data. If 
your not an ISP and you run a service from home the ISP/carrier will retain the 
data though.

This just general information.

Regards,

Paul

UNCLASSIFIED
Dear Mr Templeton

Thank you for your enquiry to the Office of Communications and Cybercrime.
I am re-sending our reply to your original enquiry that we sent on 12 September 
2017 that seems to have not arrived.
The extent of data retention obligations for your relevant service would relate 
to the extent to which elements of the data set “visible” to you. For example, 
where a provider does not have “visibility” of a customer’s IP address, it is 
likely that the IP address was assigned as part of a different relevant service.
For example, if you have a record of the MAC addresses of users who access your 
network then this information must be retained for the required period.  You 
are not obliged to retain the identity of the user if this is not information 
to which you have access.
Whether the service is being offered on a commercial basis or is free is 
irrelevant in determining a service provider's obligations.
In your email you noted that "The true origin of a connection and the true 
destination will never be known and there will be no way of obtaining the 
information. That also pertains to the ports used in the circuit and all data 
passing through the circuit will be encrypted." This sentence appears to 
suggest that you may be  looking to offer some kind of an internet access 
service, in which case the destination is not required to be retained.
Your reference to encrypted content suggests a VPN. If this is the case and 
this service is not operated you, obligations do not apply. Also, data 
retention would not require you to store the contents of the communications.
Please do not hesitate to contact our office if you require further information.

Regards

Kerry

Office of Communications Access & Cybercrime Intelligence and Identity Security 
Division
T: (02) 6141 2884


The information contained in this email is intended as guidance only.  It does 
not constitute legal advice and should not be relied upon as such. If you 
require legal advice, you should consult an independent legal adviser.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Feedback wanted: letter to my university's library

[Alison Macrina]

Scott Bennett:
> Alison Macrina  wrote:
> 
>> Scott Bennet> If he discovers that neither his campus library nor the
>> university as a
>>> whole is already officially running at least one relay, this may be a better
>>> way to teach them.  If, rather than going for a relay, which is quite likely
>>> to scare them until they understand more and better about tor, AJ were
>>> instead to campaign to get the library to install the tor browser bundle
>>> onto its publicly available computers, that alone would be a terrific
>>> coup and might engender a great deal of student support for tor on campus
>>> over time.  (The library would, of course, need to find a way to lock down
>>> the settings of the installed bundle, so that it couldn't be turned into
>>> a relay by users, but that should not be difficult to do.)  If he succeeded
>>> in getting the tor browser bundle added to the library's most likely tightly
>>> limited list of applications available on its public machines, he could then
>>> wait a while to see what the staff members thought of it.  If they decided
>>> after watching it in use for a while that it was a good thing to have made
>>> available to their users, you might then approach another department that
>>> operates a student computer lab to try to get TBB installed there.  If the
>>> library employees liked it, they might give the prospective department a
>>> positive recommendation.  If AJ played it right and it usually turned out
>>> well, he might eventually cover much of the campus with TBB installations.
>>> In any case, getting the TBB installed would educate far more people about
>>> anonymity and privacy issues than merely getting a relay installed that most
>>> people would never be aware of.
>>
>> This is a great idea, and the slides I shared in my last email could
>> help get this conversation started (the slides cover Tor Browser as well
>> as relays and other Tor stuff). If AJ is interested I can connect him
>> with other libraries I've worked with that have installed Tor Browser on
>> all of their public computers.
>>
>  I, for one, am very happy to know that Alison and her organization are
> making those materials available.  They have the potential to assist many
> people like AJ in making the public more aware of the issues and of the tools
> available to help it protect/recover its privacy and anonymity.

Thanks!

>  Alison, do you also have materials on using HTTPS where available
> instead of HTTP?  The dangers inherent in allowing Java or JavaScript to be
> enabled in one's web browser?  Cookies?  Tools like the HTTPSeverywhere and
> NoScript plug-ins for Firefox?  

Yes, I do a basic training which includes HTTPS, cookies, software
updates, passwords, and the like. It's both to educate the librarians
into better practices and to help them teach classes to their patrons.

> The reasons for avoiding the use of telnet
> clients and which tools to use instead for remote logins?  If not, they would
> make great additions, particularly pages that explain how to convince
> librarians about these matters?

Typically I don't cover remote login security because it's not something
that most librarians have a direct need for, and there's so much else to
cover.

>  Let me give an example.  I have for at least ten years asked my local
> public library to provide a) a secure shell client, b) a secure web browser
> for ordinary use where anonymity is not a concern, c) a secure FTP client,
> and d) the TBB for use by those who desire anonymity.  They have always
> refused to budge.  They run an unsecurable OS on their public computers.  They
> provide only Internet Explorer for web access.  I'm unsure whether they still
> allow any FTP access at all.  As you can imagine, they have severely limited
> the usefulness of their computers to the library patrons they claim to serve.
> I could not, for example, submit my on-line application to renew my flight
> instructor certificate via the library's computers.

Sadly, the situation you describe is fairly common in libraries. I have
had a lot of success helping many libraries make significant changes,
but it takes a lot of work building the relationship and convincing
their stakeholders that these things are important. I am a former
librarian too, and so I think they are more likely to listen to me.

That said, my organization has trained thousands of librarians on
privacy and security issues, and thanks to our work you'll now find Tor
discussed at major (and minor) library conferences, Tor Browser on
public computers, libraries teaching privacy classes to their patrons,
and the like. So I think things are improving.

>  They have refused to let me speak with those making the decisions about
> what is provided on their public computers, much less to make an organized
> presentation to them.  I was told that the decisions about software on the
> computers are made by the library board, not even by the IT staff.  What is
> a good a

Re: [tor-relays] Feedback wanted: letter to my university's library

[William Denton]

On 4 October 2017, Scott Bennett wrote:


Let me give an example.  I have for at least ten years asked my local
public library to provide a) a secure shell client, b) a secure web browser
for ordinary use where anonymity is not a concern, c) a secure FTP client,
and d) the TBB for use by those who desire anonymity.  They have always
refused to budge.  They run an unsecurable OS on their public computers.  They
provide only Internet Explorer for web access.  I'm unsure whether they still
allow any FTP access at all.  As you can imagine, they have severely limited
the usefulness of their computers to the library patrons they claim to serve.
I could not, for example, submit my on-line application to renew my flight
instructor certificate via the library's computers.
They have refused to let me speak with those making the decisions about
what is provided on their public computers, much less to make an organized
presentation to them.  I was told that the decisions about software on the
computers are made by the library board, not even by the IT staff.  What is
a good approach to get better results?


I fear there is nothing you can do.  If they're like that, it's not going to 
change until there's a new chief librarian or head of library IT.  Public 
libraries can be terrible for problems like this.  When the right person is in 
the right job, they can move fast and experiment, but that's rare.  When a 
library thinks offering only IE is the right thing to do, Tor must terrify them.


But if you can't speak to the public library board there's a problem much bigger 
than what they run on their computers!  That is just not right.  Public 
libraries have to be responsible to their public.  Could your city councillor 
help?  The local newspaper?


Good luck!  It's a shame your local library is ignoring someone with your 
expertise.


Bill
--
William Denton :: Toronto, Canada   ---   Listening to Art: 
https://listeningtoart.org/
https://www.miskatonic.org/ ---   GHG.EARTH: http://ghg.earth/
Caveat lector.  ---   STAPLR: http://staplr.org/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Igor Mitrofanov]

The instance I use for administrative purposes (SSH and APT) is a separate
one, client-only.

-Original Message-
From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf
Of teor
Sent: Wednesday, October 4, 2017 5:49 AM
To: tor-relays@lists.torproject.org
Subject: Re: [tor-relays] SSH brute force attempts to connect to my Middle
Relay IP address


> On 4 Oct 2017, at 02:26, Igor Mitrofanov 
wrote:
> 
> I have setup a (private, key-based) Tor hidden service for SSH
administration. It works well and leaves no extra open ports to attack.
> 
> If you also take advantage of package updates over Tor (via the local 
> SOCKS5 proxy that any Tor instance provides)

We don't recommend that you run a client and hidden service on the same tor
instance. It makes traffic correlation easier, because your traffic all goes
through the same guard. (There are probably some other reasons,
too.)

Depending on your threat model, this might not be an issue for you.

T

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Jonathan Proulx]

On Wed, Oct 04, 2017 at 02:32:10PM +0100, Robin wrote:
:I restrict SSH access with iptables allowing only access from two IP addresses 
(work, and home).
:I also disable root login (as many already do), as well as use the AllowUsers 
option in SSH.

Hard for me to tell if my Tor nodes get any more scans becasue I have
a similar IP restricted setup.

I can say a public login system that I run currenlty has 144 hosts
blacklisted by sshguard which means they've failed a number of login
attempts and atleast one in the past 2 minutes, not sure what the
average size of that list is but that subjectively seems normalish

Someone did apparently try to DoS my exit a couple weeks ago and
Akamai/Prolexic (contracted by my upstream provider so I had no
contacts) helpfully "mittigated" this by null routing the whole /24 it
was on :( This is more a fight between me and my provider but I still
have no response on what triggered that  so can't provide any more
detail, just eventually went away on it's own.

-Jon


:
:regards, Robin
:
:- Original message -
:From: Fr33d0m4all 
:To: tor-relays@lists.torproject.org
:Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay 
IP address
:Date: Wed, 4 Oct 2017 08:02:55 +0200
:
:Hi,
:My Tor middle relay public IP address is victim of SSH brute force 
connections’ attempts and the attack is going on since two weeks ago. It’s not 
a problem, the server that is listening with SSH on the same IP address than my 
Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but 
I just wanted to know if there is some campaign of attacks carried against Tor 
relays.. are you experiencing the same? The attacks are carried on with a 
botnet given the large amount of different IP addresses that I see in the logs.
:
:Best regards,
:   Fr33d0m4All
:___
:tor-relays mailing list
:tor-relays@lists.torproject.org
:https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
:___
:tor-relays mailing list
:tor-relays@lists.torproject.org
:https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH Bruteforce Attempts

[Jonathan Proulx]

Here's my version of the same:

Hello,

The source address 128.52.128.105 is a Tor exit node, and is not the
origin point for the traffic in question.  See
http://tor-exit.csail.mit.edu (which is the host in your logs) for
details.  Any action taken on this node would simply result in the
problem traffic using a different exit.

For further information please read http://tor-exit.csail.mit.edu/ the
bottom of this page includes information on how to block all Tor exits
should you wish to do so (including links to get a list of all current
Tor exits).

Sincerely,
The Infrastructure Group
MIT Computer Science and Artificial Intelligence Laboratory

I recently learned about https://exonerator.torproject.org/ if you
don't have a large institutional name to hide behind  like I do you
may want to include that in want ever response you use to lend
credibility to your exit claim.

-Jon

On Wed, Oct 04, 2017 at 08:26:06AM +0200, Rejo Zenger wrote:
:Hey,
:
:Yes, I do more or less the same. If the complaint is sent using some automated 
system, I "do nothing." If the complaint is sent by a human, I'll answer them 
with a template, see below. If there is a followup response to that, I'll do 
some more explaining, oftentimes pointing them at the block lists provided by 
the Tor Project.
:
:Here's the default answer:
:
:---
:
:Thanks a lot for your notification. The traffic originating from the 
IP-address is traffic from a Tor exit-node. As I am not sure whether you are 
familiar with the Tor network, I would like to provide some explanation.
:
:Tor is network software that helps users to enhance their privacy, security, 
and safety online. It does not host any content. Rather, it is part of a 
network of nodes on the Internet that simply pass packets among themselves 
before sending them to their destinations, just as any Internet intermediary 
does. The difference is that Tor tunnels the connections such that no hop can 
learn both the source and destination of the packets, giving users protection 
from nefarious snooping on network traffic. The result is that, unlike most 
other Internet traffic, the final IP address that the recipient receives is not 
the IP address of the sender.
:
:I run a Tor node to provide privacy to people who need it most: average 
computer users. Tor sees use by many important segments of the population, 
including whistle blowers, journalists, Chinese dissidents skirting the Great 
Firewall and oppressive censorship, abuse victims, stalker targets, the US 
military, and law enforcement, just to name a few. While Tor is not designed 
for malicious computer users, it is true that they can use the network for 
malicious ends.
:
:Of course, the Tor network may be abused by others and apparently this is what 
you are seeing. I am very sorry for this to happen to you. In reality however, 
the actual amount of abuse is quite low. This is largely because criminals and 
hackers have significantly better access to privacy and anonymity than do the 
regular users whom they prey upon. Criminals can and do build, sell, and trade 
far larger and more powerful networks than Tor on a daily basis.
:
:To avoid any more traffic from this source, you could (temporarily) block the 
IP-address of my Tor exit node. You also have the option of blocking all exit 
nodes on the Tor network if you so desire.  The Tor project provides a web 
service to fetch a list of all IP addresses of Tor exit nodes that allow 
exiting to a specified IP:port combination, and an official DNSRBL is also 
available to determine if a given IP address is actually a Tor exit server.
:
:---
:
:
:
:
:++ 04/10/17 02:44 + - teor:
:>
:>> On 3 Oct 2017, at 22:35, tanous .c  wrote:
:>> 
:>> Have any of you had this sort of problem? I'm having difficulty determining 
if this log information represents a normal exit relay ocurrence or if my 
server has been compromised... What could i do in order to solve this?
:>
:>Yes, Profihost sent me one recently that looked very similar.
:>Fortunately, I use OutboundBindAddress, so I knew it was
:>(very likely to be) exit traffic.
:>
:>You can:
:>* do nothing
:>* respond and ask for verification that they want your exit
:>   to block their site, but explain that they need to block
:>   all Tor Exits for the traffic to stop
:>* add exit policy entries to block each of the mentioned
:>   IPs and ports
:>* block port 22 on your exit
:>
:>I'll be doing nothing.
:>
:>You should consider your provider's reaction, because they
:>may want you do something about the complaint, even if
:>it's something ineffective.
:>
:>Tim
:>___
:>tor-relays mailing list
:>tor-relays@lists.torproject.org
:>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
:
:
:-- 
:Rejo Zenger
:E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl  
:T @rejozenger | J r...@zenger.nl
:
:OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
:XMPP OTR  271A 9186 AFBC 8124 18

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Robin]

I restrict SSH access with iptables allowing only access from two IP addresses 
(work, and home).
I also disable root login (as many already do), as well as use the AllowUsers 
option in SSH.

regards, Robin

- Original message -
From: Fr33d0m4all 
To: tor-relays@lists.torproject.org
Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP 
address
Date: Wed, 4 Oct 2017 08:02:55 +0200

Hi,
My Tor middle relay public IP address is victim of SSH brute force connections’ 
attempts and the attack is going on since two weeks ago. It’s not a problem, 
the server that is listening with SSH on the same IP address than my Tor relay 
blocks the connections and bans the IP addresses (with Fail2Ban) but I just 
wanted to know if there is some campaign of attacks carried against Tor 
relays.. are you experiencing the same? The attacks are carried on with a 
botnet given the large amount of different IP addresses that I see in the logs.

Best regards,
   Fr33d0m4All
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[teor]

> On 4 Oct 2017, at 02:26, Igor Mitrofanov  wrote:
> 
> I have setup a (private, key-based) Tor hidden service for SSH 
> administration. It works well and leaves no extra open ports to attack.
> 
> If you also take advantage of package updates over Tor (via the local SOCKS5 
> proxy that any Tor instance provides)

We don't recommend that you run a client and hidden service on the same
tor instance. It makes traffic correlation easier, because your traffic
all goes through the same guard. (There are probably some other reasons,
too.)

Depending on your threat model, this might not be an issue for you.

T

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n




signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Thomas Dünser]

Hi,

could it help to use ||iptables to limit to 3 attempts per minute, or to
use Fail2ban?

Regards

Tom


On 10/04/2017 01:07 PM, Martin Møller Skarbiniks Pedersen wrote:
> On 4 October 2017 at 08:41, Fr33d0m4all  > wrote:
> >
> > I know, I know about how internet works :) I’ve just simply noted a
> large increase in SSH brute force attempts in the last two weeks. BTW
> I don’t have root login enabled and I have two factor authentication
> on my SSH port (not standard),
>
>
> I also gets a lot of ssh bruce force attempts but then I drink some
> hot chokolade and all
> my worries goes away :-)
> However I am running on ssh on port 22 so I do expect a lot of bruce
> force attempts.
>
> I do find it a bit strange if you are running ssh on another port and
> still gets
> many bruce force attempts.
>
> Just curious: how many bruce force attempts per day approx? a few
> thousands?
>
> Regards
> Martin
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Martin Møller Skarbiniks Pedersen]

On 4 October 2017 at 08:41, Fr33d0m4all  wrote:
>
> I know, I know about how internet works :) I’ve just simply noted a large
increase in SSH brute force attempts in the last two weeks. BTW I don’t
have root login enabled and I have two factor authentication on my SSH port
(not standard),


I also gets a lot of ssh bruce force attempts but then I drink some hot
chokolade and all
my worries goes away :-)
However I am running on ssh on port 22 so I do expect a lot of bruce force
attempts.

I do find it a bit strange if you are running ssh on another port and still
gets
many bruce force attempts.

Just curious: how many bruce force attempts per day approx? a few thousands?

Regards
Martin
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH Bruteforce Attempts

[Rejo Zenger]

Hey,

Yes, I do more or less the same. If the complaint is sent using some automated 
system, I "do nothing." If the complaint is sent by a human, I'll answer them 
with a template, see below. If there is a followup response to that, I'll do 
some more explaining, oftentimes pointing them at the block lists provided by 
the Tor Project.

Here's the default answer:

---

Thanks a lot for your notification. The traffic originating from the IP-address 
is traffic from a Tor exit-node. As I am not sure whether you are familiar with 
the Tor network, I would like to provide some explanation.

Tor is network software that helps users to enhance their privacy, security, 
and safety online. It does not host any content. Rather, it is part of a 
network of nodes on the Internet that simply pass packets among themselves 
before sending them to their destinations, just as any Internet intermediary 
does. The difference is that Tor tunnels the connections such that no hop can 
learn both the source and destination of the packets, giving users protection 
from nefarious snooping on network traffic. The result is that, unlike most 
other Internet traffic, the final IP address that the recipient receives is not 
the IP address of the sender.

I run a Tor node to provide privacy to people who need it most: average 
computer users. Tor sees use by many important segments of the population, 
including whistle blowers, journalists, Chinese dissidents skirting the Great 
Firewall and oppressive censorship, abuse victims, stalker targets, the US 
military, and law enforcement, just to name a few. While Tor is not designed 
for malicious computer users, it is true that they can use the network for 
malicious ends.

Of course, the Tor network may be abused by others and apparently this is what 
you are seeing. I am very sorry for this to happen to you. In reality however, 
the actual amount of abuse is quite low. This is largely because criminals and 
hackers have significantly better access to privacy and anonymity than do the 
regular users whom they prey upon. Criminals can and do build, sell, and trade 
far larger and more powerful networks than Tor on a daily basis.

To avoid any more traffic from this source, you could (temporarily) block the 
IP-address of my Tor exit node. You also have the option of blocking all exit 
nodes on the Tor network if you so desire.  The Tor project provides a web 
service to fetch a list of all IP addresses of Tor exit nodes that allow 
exiting to a specified IP:port combination, and an official DNSRBL is also 
available to determine if a given IP address is actually a Tor exit server.

---




++ 04/10/17 02:44 + - teor:
>
>> On 3 Oct 2017, at 22:35, tanous .c  wrote:
>> 
>> Have any of you had this sort of problem? I'm having difficulty determining 
>> if this log information represents a normal exit relay ocurrence or if my 
>> server has been compromised... What could i do in order to solve this?
>
>Yes, Profihost sent me one recently that looked very similar.
>Fortunately, I use OutboundBindAddress, so I knew it was
>(very likely to be) exit traffic.
>
>You can:
>* do nothing
>* respond and ask for verification that they want your exit
>   to block their site, but explain that they need to block
>   all Tor Exits for the traffic to stop
>* add exit policy entries to block each of the mentioned
>   IPs and ports
>* block port 22 on your exit
>
>I'll be doing nothing.
>
>You should consider your provider's reaction, because they
>may want you do something about the complaint, even if
>it's something ineffective.
>
>Tim
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-- 
Rejo Zenger
E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl  
T @rejozenger | J r...@zenger.nl

OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
XMPP OTR  271A 9186 AFBC 8124 18CF  4BE2 E000 E708 F811 5ACF


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Attacks to and from Tor

[IPonU]

1) I think you can't

2) All Tor relays IPs are public


Le 04/10/2017 à 08:49, Thomas Dünser a écrit :

Hi everybody,

I've read a few threads about attacks from exit nodes to the clear net
and from the clear net to tor nodes and have several questions:

-How can you recognize that the attacks to tor nodes are especially
against Tor?

-And how can a clear net user or better IDS easily differencing between
an attacker that comes over Tor (exit node) or from a clear net host?

I think this is important to categorize the situation.

Thanks,

Tom


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

[Santiago]

El 04/10/17 a las 08:41, Fr33d0m4all escribió:
> I know, I know about how internet works :) I’ve just simply noted a large 
> increase in SSH brute force attempts in the last two weeks. BTW I don’t have 
> root login enabled and I have two factor authentication on my SSH port (not 
> standard), which is enabled only for a single low privileges user, so there’s 
> no problem. I work for a provider and I manage IPS devices, so I know that it 
> is common to have a large amount of intrusion attempts, I was just wondering 
> if there was some attack against Tor nodes going on since the increase of 
> intrusion attempts in the last few weeks :)
> 
> Best regards,

Also, you could consider pam-abl (auto blacklisting) instead of
fail2ban. Relying on PAM, it doesn't need to process the logs to ban
hosts or users.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays