Jump in brute force complaints
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes. I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not. Has anyone else noticed a jump in abuse complaints? Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck. -- Kura t: @kuramanga [https://twitter.com/kuramanga] w: https://kura.io/ [https://kura.io/] g: @kura [http://git.io/kura]
On 01/04/2015 05:27 AM, Kura wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
Starting with December my exit relay is every few minutes flooded with port scan attempts of port 22, 80 and sometimes 443. -- Toralf pgp key: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 0076 E94E
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 1/4/2015 5:02 AM, Toralf Förster wrote:
On 01/04/2015 05:27 AM, Kura wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
Starting with December my exit relay is every few minutes flooded with port scan attempts of port 22, 80 and sometimes 443.
Aren't port scans from compromised machines in China common for any type of server connected to the Internet ever? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iQIVAwUBVKkTckweZWVFXapOAQKq8g//a1zEcnYR4rYAF6E9+V5R0+qypJXnxN9H 2Mf1iXl3ncUg3YcUyPIBUlkuod6hGbh6Z2NW2ZRYHKRc6A1tUxfh+htFK7VlmI9F 9prKCweIjrk8JrJ0/FHV6mSaGTMxZSjpaWLp/CreoirTn7TPd1I4M6ZctPGucGBB XVqW4Ml9E3AXm8jgUNnxSbHnqFio9tE8vSd31wOUGlNMtni9EQx+MBSfokf7EIC1 jEp7GP/LvxQngnvusdXVR4lElghGEApnOHgN07dZHC8aEEqx1ZOOwNSO1ZffShPd rcdxgWCApMLKRo9e1fVjVVbgTrONOnxn/VdtbZ/3qJBx9HtU8bM+fovs/jlITTy1 Y8n/hb0Q5Ovq8YI8OS8BVG7ayWg6EW1U0sgTXpzmFfAYA1P7dcNaq969ILHITCF2 10FZsl6zSjRdjb6FhbxZKOQjsCBQ8ha7lBJfGaLVtJIv0ojd+AiCP9ntQ30mQjWx wFrTetq8QNDGcvurosXI6w5w5wNtbBHQMff8bFxqEeAodncyf63GEJ3mrYXRKLEn Alszt2KruJYY713Oq/YNfyfVmur5OMkI3HiKt1UpCZUrrts768pygH0iPr/cy3zf iVsD6WUvdxegOin6XSQF1XG++/wMfVF16yNswcIxDljyJQnno+JItVCwHWeFsDE0 yBIO3lpyO7Y= =fI9g -----END PGP SIGNATURE-----
Regarding SSH I have only received complaints from sysads complaining about unauthorized connection attempts to port 22 getting caught in firewalls, sometimes even with no SSH service listening on port 22. Since I follow the exit guidelines with tor-exit-notice.html on DirPort, Reverse DNS etc., and the sysads don't even bother to do a reverse lookup before sending abuse complaints I will not bother wasting my time on answering them. It is no secret how to properly secure internet connected systems, and in all cases their firewalls etc. obviously works, so my message to them, if any, would be "Welcome to the internet...". Apart from ssh brutes I have had a few autogenerated complaints from valuehost.ru. On 4 January 2015 at 05:27, Kura <kura@kura.io> wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
-- Kura
t: @kuramanga w: https://kura.io/ g: @kura
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I should have specified that I was talking about brute force attempts against http servers, not SSH servers. I don't get any complaints about SSH brute force attempts. Sent from my android device. -----Original Message----- From: usprey <usprey@gmail.com> To: tor-relays@lists.torproject.org Sent: Sun, 04 Jan 2015 10:32 am Subject: Re: [tor-relays] Jump in brute force complaints Regarding SSH I have only received complaints from sysads complaining about unauthorized connection attempts to port 22 getting caught in firewalls, sometimes even with no SSH service listening on port 22. Since I follow the exit guidelines with tor-exit-notice.html on DirPort, Reverse DNS etc., and the sysads don't even bother to do a reverse lookup before sending abuse complaints I will not bother wasting my time on answering them. It is no secret how to properly secure internet connected systems, and in all cases their firewalls etc. obviously works, so my message to them, if any, would be "Welcome to the internet...". Apart from ssh brutes I have had a few autogenerated complaints from valuehost.ru. On 4 January 2015 at 05:27, Kura <kura@kura.io> wrote:
I've noticed a rather large jump in abuse emails from admits about brute force attempts coming from my exit nodes.
I've had a handful of these in past, as you'd expect but now they are arriving multiple times a day, some automated emails, some not.
Has anyone else noticed a jump in abuse complaints?
Curious as to whether it's a spike in the network being used for abuse, more admits reading logs or just my luck.
-- Kura
t: @kuramanga w: https://kura.io/ g: @kura
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 4 January 2015 at 11:00, <kura@kura.io> wrote:
I should have specified that I was talking about brute force attempts against http servers, not SSH servers. I don't get any complaints about SSH brute force attempts.
I have also had a spike these last few days, mainly against sysads running Wordpress. I just send a standard reply...
On 2015-01-04 09:07, Daniel Case wrote:
On 4 January 2015 at 11:00, <kura@kura.io> wrote:
I should have specified that I was talking about brute force attempts against http servers, not SSH servers. I don't get any complaints about SSH brute force attempts.
I have also had a spike these last few days, mainly against sysads running Wordpress. I just send a standard reply...
I find these come in short waves. In my case, they're also about claimed (and probably accurately so) activity from one relay, but not from another relay that also exits to port 80. Perhaps at least one someone is running scans, and explicitly selecting one particular relay or set of relays rather than letting Tor pick randomly. Richard
On 2015-01-04 03:31, usprey wrote:
and the sysads don't even bother to do a reverse lookup before sending abuse complaints I will not bother wasting my time on answering them. It is no secret how to properly secure internet connected systems, and in all cases their firewalls etc. obviously works, so my message to them, if any, would be "Welcome to the internet...".
We send a standard response that attempts to explain in a friendly manner that they're seeing traffic from Tor exit node, which is used, critically, by regular computer users who need privacy. The message also gives suggestions for protecting their systems against the frequent attacks from compromised (non-Tor) systems. We do put some reporters in the ignore bin, however. This typically happens after they suggest extortion, make threats, or continue to send automated reports in a manner that indicates they're not able to act upon the replies. There's simply no engagement possibility with such, so our continuing to respond will just be a waste of others' resources. Richard
participants (7)
-
Daniel Case -
Kura -
kura@kura.io
-
Luis -
Richard Johnson -
Toralf Förster -
usprey