I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
-- Kura
t: @kuramanga [https://twitter.com/kuramanga] w: https://kura.io/ [https://kura.io/] g: @kura [http://git.io/kura]
On 01/04/2015 05:27 AM, Kura wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
Starting with December my exit relay is every few minutes flooded with port scan attempts of port 22, 80 and sometimes 443.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 1/4/2015 5:02 AM, Toralf Förster wrote:
On 01/04/2015 05:27 AM, Kura wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
Starting with December my exit relay is every few minutes flooded with port scan attempts of port 22, 80 and sometimes 443.
Aren't port scans from compromised machines in China common for any type of server connected to the Internet ever?
Regarding SSH I have only received complaints from sysads complaining about unauthorized connection attempts to port 22 getting caught in firewalls, sometimes even with no SSH service listening on port 22. Since I follow the exit guidelines with tor-exit-notice.html on DirPort, Reverse DNS etc., and the sysads don't even bother to do a reverse lookup before sending abuse complaints I will not bother wasting my time on answering them. It is no secret how to properly secure internet connected systems, and in all cases their firewalls etc. obviously works, so my message to them, if any, would be "Welcome to the internet...".
Apart from ssh brutes I have had a few autogenerated complaints from valuehost.ru.
On 4 January 2015 at 05:27, Kura kura@kura.io wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
-- Kura
t: @kuramanga w: https://kura.io/ g: @kura
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I should have specified that I was talking about brute force attempts against http servers, not SSH servers. I don't get any complaints about SSH brute force attempts.
Sent from my android device.
-----Original Message----- From: usprey usprey@gmail.com To: tor-relays@lists.torproject.org Sent: Sun, 04 Jan 2015 10:32 am Subject: Re: [tor-relays] Jump in brute force complaints
Regarding SSH I have only received complaints from sysads complaining about unauthorized connection attempts to port 22 getting caught in firewalls, sometimes even with no SSH service listening on port 22. Since I follow the exit guidelines with tor-exit-notice.html on DirPort, Reverse DNS etc., and the sysads don't even bother to do a reverse lookup before sending abuse complaints I will not bother wasting my time on answering them. It is no secret how to properly secure internet connected systems, and in all cases their firewalls etc. obviously works, so my message to them, if any, would be "Welcome to the internet...".
Apart from ssh brutes I have had a few autogenerated complaints from valuehost.ru.
On 4 January 2015 at 05:27, Kura kura@kura.io wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
-- Kura
t: @kuramanga w: https://kura.io/ g: @kura
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 4 January 2015 at 11:00, kura@kura.io wrote:
I should have specified that I was talking about brute force attempts against http servers, not SSH servers. I don't get any complaints about SSH brute force attempts.
I have also had a spike these last few days, mainly against sysads running Wordpress. I just send a standard reply...
On 2015-01-04 09:07, Daniel Case wrote:
On 4 January 2015 at 11:00, kura@kura.io wrote:
I should have specified that I was talking about brute force attempts against http servers, not SSH servers. I don't get any complaints about SSH brute force attempts.
I have also had a spike these last few days, mainly against sysads running Wordpress. I just send a standard reply...
I find these come in short waves. In my case, they're also about claimed (and probably accurately so) activity from one relay, but not from another relay that also exits to port 80.
Perhaps at least one someone is running scans, and explicitly selecting one particular relay or set of relays rather than letting Tor pick randomly.
Richard
On 2015-01-04 03:31, usprey wrote:
and the sysads don't even bother to do a reverse lookup before sending abuse complaints I will not bother wasting my time on answering them. It is no secret how to properly secure internet connected systems, and in all cases their firewalls etc. obviously works, so my message to them, if any, would be "Welcome to the internet...".
We send a standard response that attempts to explain in a friendly manner that they're seeing traffic from Tor exit node, which is used, critically, by regular computer users who need privacy. The message also gives suggestions for protecting their systems against the frequent attacks from compromised (non-Tor) systems.
We do put some reporters in the ignore bin, however. This typically happens after they suggest extortion, make threats, or continue to send automated reports in a manner that indicates they're not able to act upon the replies. There's simply no engagement possibility with such, so our continuing to respond will just be a waste of others' resources.
Richard
tor-relays@lists.torproject.org
-
Daniel Case -
Kura -
kura@kura.io
-
Luis -
Richard Johnson -
Toralf Förster -
usprey