Blocking Domains

older
Stats not updated for several days?

Tristan

31 Oct 2016 31 Oct '16

12:55 p.m.

Is it possible to block domain names in Tor's ExitPolicy? I've been getting abuses on *.panelboxmanager.com, and I'd like to be proactive about this if possible.

Attachments:

attachment.html (text/html — 233 bytes)

Show replies by date

Jason Jung

31 Oct 31 Oct

8:38 p.m.

You need to block them via IP address. Do a DNS lookup of the domain in question if the e-mail doesn't contain it. On Mon, Oct 31, 2016 at 07:55:43AM -0500, Tristan wrote:

...

-- Jason Jung 7942 B145 5E45 1D53 37C8 1204 8DA4 A1DB CBE6 35AE

SuperSluether

8:42 p.m.

They give me the IP address to block. The problem is yesterday it was on s01.panelboxmanager.com. Today it was s502.panelboxmanager.com. I was hoping for a way to block all sub-domains of panelboxmanager.com to prevent further abuse on that particular network. Guess I'll keep going per-IP for now. On 10/31/2016 03:38 PM, Jason Jung wrote:

...

teor

1 Nov 1 Nov

10:35 a.m.

...

If you run a local caching resolver, you can tell it not to answer requests for these domains. (Or, more precisely, answer them with NXDOMAIN.) And you should block the IP addresses for the netblock in your exit policy as well, so the blocking is at least somewhat transparent. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------

Diarmaid McManus

11:27 a.m.

I wouldn't recommend blocking at the DNS level, as this could flag your exit with a BADEXIT for modifying traffic. The current official way to do this is through the exit policy, but this is in a configuration file. *Relay Operators*: is there a way to dynamically update the exit policy as a relay is running? On 1 November 2016 at 10:35, teor <teor2345@gmail.com> wrote:

...

Ralph Seichter

11:37 a.m.

On 01.11.2016 12:27, Diarmaid McManus wrote:

...

is there a way to dynamically update the exit policy as a relay is running?

There is. Change configuration file on-disk, then send a HUP signal to Tor process. Does anybody have a suggestion on how best to figure out which address ranges are owned by panelboxmanager.com? Complaints seem to come in for all sorts of addresses. -Ralph

Michael Armbruster

11:46 a.m.

On 2016-11-01 at 12:37, Ralph Seichter wrote:

...

According to the whois of their IP address for panelboxmanager.com, I got the following two subnets: Panelbox IWEB--72-55-186-0-24 (NET-72-55-186-0-1) 72.55.186.0 - 72.55.186.255 iWeb Technologies Inc. IWEB-BLK-03 (NET-72-55-128-0-1) 72.55.128.0 - 72.55.191.255 Best, Michael

hwertiout695

11:56 a.m.

Hi Ralph, Ralph Seichter <tor-relays-ml@horus-it.de> schrieb am Di., 1. Nov. 2016 um 12:37 Uhr:

...

`whois 72.55.186.5` leads to https://whois.arin.net/rest/org/PANEL-2/nets: PANELBOX-14 (NET-67-205-125-0-1 <https://whois.arin.net/rest/net/NET-67-205-125-0-1.html>) 67.205.125.0 - 67.205.125.255 PANELBOX-07 (NET-108-163-147-0-1 <https://whois.arin.net/rest/net/NET-108-163-147-0-1.html>) 108.163.147.0 - 108.163.147.255 PANELBOX-08 (NET-184-107-101-0-1 <https://whois.arin.net/rest/net/NET-184-107-101-0-1.html>) 184.107.101.0 - 184.107.101.255 PANELBOX-09 (NET-184-107-116-0-1 <https://whois.arin.net/rest/net/NET-184-107-116-0-1.html>) 184.107.116.0 - 184.107.116.255 PANELBOX-10 (NET-198-72-104-0-1 <https://whois.arin.net/rest/net/NET-198-72-104-0-1.html>) 198.72.104.0 - 198.72.104.255 PANELBOX-11 (NET-72-55-152-240-1 <https://whois.arin.net/rest/net/NET-72-55-152-240-1.html>) 72.55.152.240 - 72.55.152.255 PANELBOX-12 (NET-108-163-128-64-1 <https://whois.arin.net/rest/net/NET-108-163-128-64-1.html>) 108.163.128.64 - 108.163.128.127 PANELBOX-06 (NET-70-38-127-64-1 <https://whois.arin.net/rest/net/NET-70-38-127-64-1.html>) 70.38.127.64 - 70.38.127.127 PANELBOX-13 (NET-184-107-111-96-1 <https://whois.arin.net/rest/net/NET-184-107-111-96-1.html>) 184.107.111.96 - 184.107.111.127 PANELBOX-13 (NET-209-172-50-32-1 <https://whois.arin.net/rest/net/NET-209-172-50-32-1.html>) 209.172.50.32 - 209.172.50.63 PANELBOX-04 (NET-174-142-230-0-1 <https://whois.arin.net/rest/net/NET-174-142-230-0-1.html>) 174.142.230.0 - 174.142.230.255 PANELBOX-05 (NET-184-107-100-0-1 <https://whois.arin.net/rest/net/NET-184-107-100-0-1.html>) 184.107.100.0 - 184.107.100.255 PANELBOX-03 (NET-67-205-105-0-1 <https://whois.arin.net/rest/net/NET-67-205-105-0-1.html>) 67.205.105.0 - 67.205.105.255 PANELBOX-02 (NET-67-205-90-240-1 <https://whois.arin.net/rest/net/NET-67-205-90-240-1.html>) 67.205.90.240 - 67.205.90.255 IWEB--72-55-186-0-24 (NET-72-55-186-0-1 <https://whois.arin.net/rest/net/NET-72-55-186-0-1.html>) 72.55.186.0 - 72.55.186.255 HTH Sven

Ralph Seichter

12:32 p.m.

On 01.11.2016 12:56, hwertiout695 wrote:

...

https://whois.arin.net/rest/org/PANEL-2/nets [...]

This appears to be the most comprehensive list of assigned networks I have seen so far for panelboxmanager.com; thank you. -Ralph

SuperSluether

2:54 p.m.

So, I tried putting the IPs into my exit policy like this: xx.xx.xx.xx-xx.xx.xx:* But Tor doesn't like that syntax. What's the correct way to block address ranges in the exit policy? On 11/01/2016 07:32 AM, Ralph Seichter wrote:

...

teor

2:57 p.m.

...

The man page is your friend: ExitPolicy policy,policy,... Set an exit policy for this server. Each policy is of the form "accept[6]|reject[6]ADDR[/MASK][:PORT]". If /MASK is omitted then this policy just applies to the host given. PORT can be a single port number, an interval of ports "FROM_PORT-TO_PORT", or "*". If PORT is omitted, that means "*". --

...

T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------

Tristan

3:01 p.m.

So what mask would I use then? I've been trying to wrap my head around it, but I just don't understand what /24 means, or how it's different from /27 or any other number. On Nov 1, 2016 9:58 AM, "teor" <teor2345@gmail.com> wrote:

...

Tristan

3:06 p.m.

Wow this is confusing. If I'm understanding this correctly, 0.0.0.0/24 would mean any address from 0.0.0.0 to 0.0.0.255, correct? On Nov 1, 2016 10:01 AM, "Tristan" <supersluether@gmail.com> wrote:

...

teor

3:10 p.m.

...

On 2 Nov. 2016, at 02:01, Tristan <supersluether@gmail.com> wrote:

So what mask would I use then? I've been trying to wrap my head around it, but I just don't understand what /24 means, or how it's different from /27 or any other number.

You have a list in IP-IP (IP range) format, and you want to convert it into IP/Mask (CIDR) format. Here is a tool that will do that: http://ipaddressguide.com/cidr If you want to learn more, or check the tool's work: https://en.wikipedia.org/wiki/CIDR_notation

...

On 2 Nov. 2016, at 02:06, Tristan <supersluether@gmail.com> wrote:

Wow this is confusing. If I'm understanding this correctly, 0.0.0.0/24 would mean any address from 0.0.0.0 to 0.0.0.255, correct?

Yes. Imagine each of the numbers in an IPv4 address is a byte. Put them together, you have 32 bits. Count each bit starting from 1, and when you reach the mask number, the IP range is all the possible combinations of all the remaining bits. Tim

...

On Nov 1, 2016 9:58 AM, "teor" <teor2345@gmail.com> wrote:

...
On 2 Nov. 2016, at 01:54, SuperSluether <supersluether@gmail.com> wrote:

So, I tried putting the IPs into my exit policy like this:

xx.xx.xx.xx-xx.xx.xx:*

But Tor doesn't like that syntax. What's the correct way to block address ranges in the exit policy?

The man page is your friend:

ExitPolicy policy,policy,... Set an exit policy for this server. Each policy is of the form "accept[6]|reject[6]ADDR[/MASK][:PORT]". If /MASK is omitted then this policy just applies to the host given.

PORT can be a single port number, an interval of ports "FROM_PORT-TO_PORT", or "*". If PORT is omitted, that means "*".

--

...
On 11/01/2016 07:32 AM, Ralph Seichter wrote:

...
On 01.11.2016 12:56, hwertiout695 wrote:

...
https://whois.arin.net/rest/org/PANEL-2/nets [...] This appears to be the most comprehensive list of assigned networks I have seen so far for panelboxmanager.com; thank you.

-Ralph _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

T

-- Tim Wilson-Brown (teor)

teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------

_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

3151

Age (days ago)

3152

Last active (days ago)

List overview

Download

13 comments

8 participants

participants (8)

Diarmaid McManus
hwertiout695
Jason Jung
Michael Armbruster
Ralph Seichter
SuperSluether
teor
Tristan