[tor-bugs] #17451 [Tor]: Tor controller [ControlPort] - bruteforce defence measures & detailed logging

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 29 15:58:36 UTC 2015


#17451: Tor controller [ControlPort] - bruteforce defence measures & detailed
logging
-----------------------------+------------------------------
     Reporter:  programings  |      Owner:
         Type:  enhancement  |     Status:  new
     Priority:  Medium       |  Milestone:
    Component:  Tor          |    Version:  Tor: unspecified
     Severity:  Normal       |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |    Sponsor:
-----------------------------+------------------------------
 Sometimes, as a relay operator, you should open your ControlPort to the
 world, because of various reasons - SSH is not always an option, you have
 application that implements Tor control protocol and it should control
 your OR remotely, etc.

 When this happens, current controller implementation doesn't have any
 mechanism to prevent bruteforcing of the HashedControlPassword or the
 authentication cookie, and also the hypothetic attacker will remain
 compleatly anonymous (in general case, possible solution is to have
 another service monitoring the sockets and log the remote IP), because Tor
 doesn't log any data about him or her, like IP address, for example.
 Because of this behaviour, you also can't use software like fail2ban to
 ban the attackers based on the logged failed attempts.

 Given all this, even with a strong enough passphrase, it becomes easy to
 break through the authentication and do a lot of bad things.

 Tor should have a configuration directive to specify a limit of the number
 of allowed attempts when ControlPort socket is non-local. When the
 threshold is reached, Tor should block future attempts from this IP for a
 certain period of time.

 The detailed logging will allow use of another software to take care in
 depth.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17451>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list