subject:"\[tor\-relays\] SSH scanning on TOR Exit \- Nerfing Rules"

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

2019-09-16 Thread Matt Corallo

I've taken to contacting the sender of the automated abuse reports and
noting that sending such emails may actually not be legal (at least in
the US) under CAN-SPAM. In some cases I've seen positive response as
people aren't even aware their random server with fail2ban is sending
these things.

Matt

On 8/29/19 11:26 PM, AMuse wrote:
> Hi all! I'm curious what y'all think of this situation.
> 
> I have SSH open as an exit port on a TOR exit that my friends and I are
> maintaining - and of course it's the #1 offender by far in automated
> abuse notifications we get from our ISP, from peoples' fail2ban servers
> sending abuse emails. This all seems like a huge waste of time, but
> that's a separate issue.
> 
> I'm wondering if nerfing outbound SSH to rate limit will be effective at
> getting the SSH scanning bots to stop using my exit in their circuit,
> while leaving SSH open for actual humans who need to SSH while using TOR.
> 
> I've implemented, as a test, rate limiting outbound on the SSH port. 
> What do you think the impact of this will be?  No impact? Losing exit
> status because connections on SSH die?  Something else entirely?
> 
> Here's the pf rules in question:
> 
> pass in on $ext_if proto {tcp udp} from any to any port 9000:9150 keep state
> 
> pass in on $ext_if proto tcp from any to any port 22 keep state
> 
> pass in on $ext_if proto tcp from any to any port 80 keep state
> 
> pass out on $ext_if from any to any keep state
> 
> pass out on $ext_if proto tcp from any to any port 22 keep state
> (max-src-conn 25, max-src-conn-rate 1/5 )
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

2019-08-30 Thread teor

Hi,

> On 30 Aug 2019, at 09:26, AMuse  wrote:
> 
> I have SSH open as an exit port on a TOR exit that my friends and I are 
> maintaining - and of course it's the #1 offender by far in automated abuse 
> notifications we get from our ISP, from peoples' fail2ban servers sending 
> abuse emails. This all seems like a huge waste of time, but that's a separate 
> issue.
> 
> I'm wondering if nerfing outbound SSH to rate limit will be effective at 
> getting the SSH scanning bots to stop using my exit in their circuit, while 
> leaving SSH open for actual humans who need to SSH while using TOR.

I ran some large exits from 2016-2018, and I thought about this issue a lot.
Usually while dealing with automated abuse mails.

Ideally, we want a DoS mode that:
* allows the first connection from a circuit at full speed
* with each extra rapid connection, gradually slows connections from the
  same circuit

There's a bunch of fine tuning we could do by port, traffic volume,
and how busy other circuits are.

But that needs to be implemented in Tor, because only Tor can see circuits.

> I've implemented, as a test, rate limiting outbound on the SSH port.  What do 
> you think the impact of this will be?  No impact?

Probably.

> Losing exit status because connections on SSH die?

Unlikely. I think Exitmap only measures HTTP(S).

> Something else entirely?

Maybe scanners will move to another exit.

Maybe some SSH connections will be blocked, you should set your exit in
a client's torrc and try it out:

ExitNodes (fingerprint)
StrictNodes 1

T



signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] SSH scanning on TOR Exit - Nerfing Rules

2019-08-30 Thread AMuse

Hi all! I'm curious what y'all think of this situation.

I have SSH open as an exit port on a TOR exit that my friends and I are
maintaining - and of course it's the #1 offender by far in automated abuse
notifications we get from our ISP, from peoples' fail2ban servers sending
abuse emails. This all seems like a huge waste of time, but that's a
separate issue.

I'm wondering if nerfing outbound SSH to rate limit will be effective at
getting the SSH scanning bots to stop using my exit in their circuit, while
leaving SSH open for actual humans who need to SSH while using TOR.

I've implemented, as a test, rate limiting outbound on the SSH port.  What
do you think the impact of this will be?  No impact? Losing exit status
because connections on SSH die?  Something else entirely?

Here's the pf rules in question:

pass in on $ext_if proto {tcp udp} from any to any port 9000:9150 keep state

pass in on $ext_if proto tcp from any to any port 22 keep state

pass in on $ext_if proto tcp from any to any port 80 keep state

pass out on $ext_if from any to any keep state

pass out on $ext_if proto tcp from any to any port 22 keep state
(max-src-conn 25, max-src-conn-rate 1/5 )
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

Re: [tor-relays] SSH scanning on TOR Exit - Nerfing Rules

[tor-relays] SSH scanning on TOR Exit - Nerfing Rules

3 matches

Site Navigation

Mail list logo

Footer information