How to Run High Capacity Tor Relays (stateless iptables filtering)

tor_ml tor_ml at ymail.com
Fri Aug 27 10:26:47 UTC 2010


> I believe it actually does. There are tons of ssh scanning worms that
> probe for ssh ports and try to log into them. Sure, disabling
> passwords and/or enforcing strong ones will stop these scans from
> succeeding, but they won't stop them if their zombies are repurposed
> for an (admittedly unlikely) actual ssh exploit, or if one of the
> users decides to upload a weak debian ssh key.
>
> Causing such scans to take 2 days to find my (randomized) ssh port
> instead of 2 seconds does makes this machine a harder target to find
> by worms and impatient/shotgun attackers. If nothing else, it rids my
> logs of a ton of distracting noise, which can make other intrustion
> attempts harder to notice.

Ok, I see.
Do you actually see many ssh login attempts (by simple stupid ssh bots) 
on randomized ssh ports?


> Won't the first rule cause some connection teardown conditions to
> just hang though? Causing extra tcp sockets to stay open is less
> desirable, too.

You are right, on my host (linux) it wouldn't be a problem because it 
useses the 4way connection termination where no packet would match the rule:
FIN, ACK ->
<- ACK
<-FIN,ACK
ACK ->

but in general there is also another way (or many other ways) to close a 
connection:
"
It is also possible to terminate the connection by a 3-way handshake, 
when host A sends a FIN and host B replies with a FIN & ACK (merely 
combines 2 steps into one) and host A replies with an ACK. This is 
perhaps the most common method.
"

https://secure.wikimedia.org/wikipedia/en/wiki/Transmission_Control_Protocol#Connection_termination

I agree with Olaf and would only use the -p tcp --syn rule to filter new 
connection to the server on unwanted ports.







More information about the tor-relays mailing list