SSH brute force attempts to connect to my Middle Relay IP address
Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but I just wanted to know if there is some campaign of attacks carried against Tor relays.. are you experiencing the same? The attacks are carried on with a botnet given the large amount of different IP addresses that I see in the logs. Best regards, Fr33d0m4All
I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open ports to attack. If you also take advantage of package updates over Tor (via the local SOCKS5 proxy that any Tor instance provides) the only non-OR incoming traffic you need to allow is an occasional NTP (UDP) time sync, plus ICMP 3/4 (fragmentation required). If you drop everything else, fail2ban becomes unnecessary. The botnet can still flood the host with SYN requests, ORPort connections, etc. but brute-force attacks on SSH are no longer a risk. -----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Fr33d0m4all Sent: Tuesday, October 3, 2017 11:03 PM To: tor-relays@lists.torproject.org Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but I just wanted to know if there is some campaign of attacks carried against Tor relays.. are you experiencing the same? The attacks are carried on with a botnet given the large amount of different IP addresses that I see in the logs. Best regards, Fr33d0m4All _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 4 Oct 2017, at 02:26, Igor Mitrofanov <igor.n.mitrofanov@gmail.com> wrote:
I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open ports to attack.
If you also take advantage of package updates over Tor (via the local SOCKS5 proxy that any Tor instance provides)
We don't recommend that you run a client and hidden service on the same tor instance. It makes traffic correlation easier, because your traffic all goes through the same guard. (There are probably some other reasons, too.) Depending on your threat model, this might not be an issue for you. T -- Tim / teor PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
The instance I use for administrative purposes (SSH and APT) is a separate one, client-only. -----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of teor Sent: Wednesday, October 4, 2017 5:49 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address
On 4 Oct 2017, at 02:26, Igor Mitrofanov <igor.n.mitrofanov@gmail.com> wrote:
I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open ports to attack.
If you also take advantage of package updates over Tor (via the local SOCKS5 proxy that any Tor instance provides)
We don't recommend that you run a client and hidden service on the same tor instance. It makes traffic correlation easier, because your traffic all goes through the same guard. (There are probably some other reasons, too.) Depending on your threat model, this might not be an issue for you. T -- Tim / teor PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
On October 3, 2017 11:02:55 PM PDT, Fr33d0m4all <fr33d0m4all@riseup.net> wrote:
Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but I just wanted to know if there is some campaign of attacks carried against Tor relays.. are you experiencing the same? The attacks are carried on with a botnet given the large amount of different IP addresses that I see in the logs.
This happens to any machine with an open ssh port on the internet. Just set up ssh keys for login, disable password auth, and ignore the fruitless attempts. I personally don't bother with f2b. The only time I ever bother blocking attackers is if I'm trying to live view my logs and the attacks are polluting my view. Otherwise it's not worth my time. --Sean
-------- Original Message -------- On 4 Oct 2017, 07:02, Fr33d0m4all wrote: Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts Welcome to the Internet! Any Internet connected machine will be port scanned, vuln probed, brute forced, blindly hit with ancient "1 shot" exploits (think wordpress plugins) and trawled for include vulnerabilities (e.g. ?file=../../../etc/passwd ) on a daily basis. It's not normally something to worry about. Disable root login, enable certificate authentication and if you feel particularly strongly about the log noise firewall off TCP/22 or move sshd to a high numbered port.
I know, I know about how internet works :) I’ve just simply noted a large increase in SSH brute force attempts in the last two weeks. BTW I don’t have root login enabled and I have two factor authentication on my SSH port (not standard), which is enabled only for a single low privileges user, so there’s no problem. I work for a provider and I manage IPS devices, so I know that it is common to have a large amount of intrusion attempts, I was just wondering if there was some attack against Tor nodes going on since the increase of intrusion attempts in the last few weeks :) Best regards, Fr33d0m4All
Il giorno 04 ott 2017, alle ore 08:35, Gareth Llewellyn <gareth@networksaremadeofstring.co.uk> ha scritto:
-------- Original Message -------- On 4 Oct 2017, 07:02, Fr33d0m4all < fr33d0m4all@riseup.net> wrote: Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts
Welcome to the Internet!
Any Internet connected machine will be port scanned, vuln probed, brute forced, blindly hit with ancient "1 shot" exploits (think wordpress plugins) and trawled for include vulnerabilities (e.g. ?file=../../../etc/passwd ) on a daily basis.
It's not normally something to worry about.
Disable root login, enable certificate authentication and if you feel particularly strongly about the log noise firewall off TCP/22 or move sshd to a high numbered port.
El 04/10/17 a las 08:41, Fr33d0m4all escribió:
I know, I know about how internet works :) I’ve just simply noted a large increase in SSH brute force attempts in the last two weeks. BTW I don’t have root login enabled and I have two factor authentication on my SSH port (not standard), which is enabled only for a single low privileges user, so there’s no problem. I work for a provider and I manage IPS devices, so I know that it is common to have a large amount of intrusion attempts, I was just wondering if there was some attack against Tor nodes going on since the increase of intrusion attempts in the last few weeks :)
Best regards,
Also, you could consider pam-abl (auto blacklisting) instead of fail2ban. Relying on PAM, it doesn't need to process the logs to ban hosts or users.
On 4 October 2017 at 08:41, Fr33d0m4all <fr33d0m4all@riseup.net> wrote:
I know, I know about how internet works :) I’ve just simply noted a large
increase in SSH brute force attempts in the last two weeks. BTW I don’t have root login enabled and I have two factor authentication on my SSH port (not standard), I also gets a lot of ssh bruce force attempts but then I drink some hot chokolade and all my worries goes away :-) However I am running on ssh on port 22 so I do expect a lot of bruce force attempts. I do find it a bit strange if you are running ssh on another port and still gets many bruce force attempts. Just curious: how many bruce force attempts per day approx? a few thousands? Regards Martin
Hi, could it help to use ||iptables to limit to 3 attempts per minute, or to use Fail2ban? Regards Tom On 10/04/2017 01:07 PM, Martin Møller Skarbiniks Pedersen wrote:
On 4 October 2017 at 08:41, Fr33d0m4all <fr33d0m4all@riseup.net <mailto:fr33d0m4all@riseup.net>> wrote:
I know, I know about how internet works :) I’ve just simply noted a
large increase in SSH brute force attempts in the last two weeks. BTW I don’t have root login enabled and I have two factor authentication on my SSH port (not standard),
I also gets a lot of ssh bruce force attempts but then I drink some hot chokolade and all my worries goes away :-) However I am running on ssh on port 22 so I do expect a lot of bruce force attempts.
I do find it a bit strange if you are running ssh on another port and still gets many bruce force attempts.
Just curious: how many bruce force attempts per day approx? a few thousands?
Regards Martin
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I restrict SSH access with iptables allowing only access from two IP addresses (work, and home). I also disable root login (as many already do), as well as use the AllowUsers option in SSH. regards, Robin ----- Original message ----- From: Fr33d0m4all <fr33d0m4all@riseup.net> To: tor-relays@lists.torproject.org Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address Date: Wed, 4 Oct 2017 08:02:55 +0200 Hi, My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but I just wanted to know if there is some campaign of attacks carried against Tor relays.. are you experiencing the same? The attacks are carried on with a botnet given the large amount of different IP addresses that I see in the logs. Best regards, Fr33d0m4All _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wed, Oct 04, 2017 at 02:32:10PM +0100, Robin wrote: :I restrict SSH access with iptables allowing only access from two IP addresses (work, and home). :I also disable root login (as many already do), as well as use the AllowUsers option in SSH. Hard for me to tell if my Tor nodes get any more scans becasue I have a similar IP restricted setup. I can say a public login system that I run currenlty has 144 hosts blacklisted by sshguard which means they've failed a number of login attempts and atleast one in the past 2 minutes, not sure what the average size of that list is but that subjectively seems normalish Someone did apparently try to DoS my exit a couple weeks ago and Akamai/Prolexic (contracted by my upstream provider so I had no contacts) helpfully "mittigated" this by null routing the whole /24 it was on :( This is more a fight between me and my provider but I still have no response on what triggered that so can't provide any more detail, just eventually went away on it's own. -Jon : :regards, Robin : :----- Original message ----- :From: Fr33d0m4all <fr33d0m4all@riseup.net> :To: tor-relays@lists.torproject.org :Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address :Date: Wed, 4 Oct 2017 08:02:55 +0200 : :Hi, :My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but I just wanted to know if there is some campaign of attacks carried against Tor relays.. are you experiencing the same? The attacks are carried on with a botnet given the large amount of different IP addresses that I see in the logs. : :Best regards, : Fr33d0m4All :_______________________________________________ :tor-relays mailing list :tor-relays@lists.torproject.org :https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays :_______________________________________________ :tor-relays mailing list :tor-relays@lists.torproject.org :https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays --
participants (10)
-
Fr33d0m4all -
Gareth Llewellyn -
Igor Mitrofanov -
Jonathan Proulx -
Martin Møller Skarbiniks Pedersen -
Robin -
Santiago -
Sean Greenslade -
teor -
Thomas Dünser