Hello, I need some advise on a situation new to me. I operate a VPS exit node in Romania, a VPS guard node in the Czech Republic, a middle node and bridge in the US. All are SSH public key authentication protocol 2. Over the last 5 weeks all of these servers have been under attack by IPs in the range 43.229.52.00 to 43.229.55.255. Maybe 24 different IP addresses. I have contacted the operator in Hong Kong on four different occasions but I've received no relief from the attempted attacks nor have they communicated back to me--as I have requested. Attack counts are in the 100,000s. I have no personal information stored on any of these servers--only public info via Tor is available. And then, how the hell did they get the address of my bridge? I see break-in attempts all the time but never at this volume. The break-in attempts have been thwarted to date and will probably remain so. But I find the situation disconcerting and irritating. Should I ignore these efforts? Should I send abuse reports to someone? Who? Any sage advice out there? Did I give away any secure info just now? lol LB
Hi LB,
SSH attacks happen 24/7 and are just stupid brute force mostly without any reason. You already setted up key auth and hopefully disabled password auth.
You can block brute force by setting up a log watcher like fail2ban. That application follows the auth.log file on your server and adds an iptables rules to drop the traffic from the attacker.
~Josef
Am 22.10.2015 um 21:13 schrieb Larry Brandt:
Hello, I need some advise on a situation new to me. I operate a VPS exit node in Romania, a VPS guard node in the Czech Republic, a middle node and bridge in the US. All are SSH public key authentication protocol 2. Over the last 5 weeks all of these servers have been under attack by IPs in the range 43.229.52.00 to 43.229.55.255. Maybe 24 different IP addresses. I have contacted the operator in Hong Kong on four different occasions but I've received no relief from the attempted attacks nor have they communicated back to me--as I have requested. Attack counts are in the 100,000s. I have no personal information stored on any of these servers--only public info via Tor is available. And then, how the hell did they get the address of my bridge? I see break-in attempts all the time but never at this volume. The break-in attempts have been thwarted to date and will probably remain so. But I find the situation disconcerting and irritating. Should I ignore these efforts? Should I send abuse reports to someone? Who? Any sage advice out there? Did I give away any secure info just now? lol LB
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 10/22/2015 09:29 PM, Josef Stautner wrote:
Hi LB,
SSH attacks happen 24/7 and are just stupid brute force mostly without any reason.
The most stupid of them you can avoid/ignore by just choosing a ssh port != 22.
- -- Toralf, pgp key: C4EACDDE 0076E94E
tor-relays@lists.torproject.org
-
Josef Stautner -
Larry Brandt -
Toralf Förster