[tor-relays] SSH scans from Tor exit

Delton Barnes delton.barnes at mail.ru
Wed Apr 30 18:14:41 UTC 2014

> The servers aren't the one's that shouldn't be online, it's their idiot
> HACK ATTEMPTS in the logs is some kind of important, and then go
> reporting it to every place they can think of, each of those places staffed
> by more clueless idiots, etc. Grow up people, quit whining about ssh
> and learn to admin. Meanwhile, Theo laughs heartily at everyone.

Often, SSH brute-force login attempts come directly from compromised
machines, not Tor exit nodes.  Reporting such attacks helps
administrators realize a machine is compromised, which is a good thing.
 It could be helping protect the privacy of someone whose machine is

I'd suggest the problem is administrators treating a Tor exit node the
same as a compromised machine.  If the goal of an administrator is to
eliminate SSH attacks emanating from Tor, they should simply block port
22 connections from Tor exit nodes.

It is a bit cynical or defeatist, I think, to say "There are a lot of
these attacks, so administrators should have to just accept them."  If
you see someone attempting to break into cars, do you report it, or do
you say "There are so many car thefts in the world, what's the point?"


More information about the tor-relays mailing list