I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open ports to attack.
If you also take advantage of package updates over Tor (via the local SOCKS5 proxy that any Tor instance provides) the only non-OR incoming traffic you need to allow is an occasional NTP (UDP) time sync, plus ICMP 3/4 (fragmentation required). If you drop everything else, fail2ban becomes unnecessary.
The botnet can still flood the host with SYN requests, ORPort connections, etc. but brute-force attacks on SSH are no longer a risk.
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Fr33d0m4all Sent: Tuesday, October 3, 2017 11:03 PM To: tor-relays@lists.torproject.org Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address
Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but I just wanted to know if there is some campaign of attacks carried against Tor relays.. are you experiencing the same? The attacks are carried on with a botnet given the large amount of different IP addresses that I see in the logs.
Best regards, Fr33d0m4All _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays