[tor-relays] What to do about port scans?

[mick]

On Wed, 31 Jul 2013 14:48:05 -0400
Steve Snyder <swsnyder at snydernet.net> allegedly wrote:

> I wouldn't have thought that the Tor network was fast enough for port 
> scanning, but apparently it is.  I have recently seen a rash of SSH
> port scanning (or so my ISP reports). What can/should  I do about
> this?

I'm not sure exactly what you are saying here. 

1. Do you mean that the scans (directed at you) all came from tor exit
nodes? 

2. Or do you mean that your tor node was scanned from elsewhere? 

3. Or do you mean that your tor exit node was used in port scanning
someone else?
 
> I know I can limit the rate of connections using iptables.  What's
> the consensus on this?  Is this considered advisable, or a breach of 
> expected exit node behavior?

If you are an exit node and you allow connection to port 22, and you
are being used to scan others (3 above) then I would say it would be
inadvisable to interfere with that connection. Better to be explict in
your exit policy by denying exit to port 22. Of course that simply
moves the problem to some other exit node, but your ISP will stop
complaining (which may be what you need).
> 
> Do I have any options other than iptables to restrict the rate of
> port 22 connection attempts?

I find that there is a huge drop in ssh scanning activity if the
daemon is simply moved to a non-standard port. So if the problem is 1
or 2 above, a simple sshd reconfig may help.

HTH

Mick
---------------------------------------------------------------------

 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 http://baldric.net

---------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130731/4d6be851/attachment.sig>