[tor-relays] How to prevent netscan usage?

ZEROF security at netmajstor.com
Thu Nov 26 03:50:17 UTC 2015


Hi,

First rule is to use some firewall, 2nd is to disable that port for few
days. You will not lose exit flag becuase of this, just will give you time
to learn more about how to secure your node. Few friends
using FirewallBuilder to learn how to build their firewall system, maybe
you can start with that as well (http://www.fwbuilder.org/). Check and
learn about flood attack and using iptables to block them. Good luck, maybe
other node admins will have better solution for your case.

On 25 November 2015 at 23:21, Roland 'ValiDOM' Jungnickel <
vali2015 at validom.de> wrote:

> hi,
>
> I'm operating a tor exit with a relatively high bandwith rate for more
> than 3 years.
>
> My ISP receives more and more abuse tickets about my server regarding
> netscans. These netscans are executed with dest. port 80 so I'm not able
> to block them easily.
>
> Any idea how to prevent netscans using my exit node? Below you find an
> extract of such an abuse mail.
>
> Thanks a lot!
> ValiDOM
>
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 41518 =>    46.20.92.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 41545 =>    46.20.92.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 41575 =>    46.20.92.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 45219 =>    59.192.63.xx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 45218 =>    59.192.63.xx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 45217 =>    59.192.63.xx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 42460 =>    59.203.179.x 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 42517 =>    59.203.179.x 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 42569 =>    59.203.179.x 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 57564 =>   59.211.15.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 57596 =>   59.211.15.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 57631 =>   59.211.15.xxx 80
> Wed Nov 18 12:55:27 2015 TCP   88.198.14xxx 58022 =>   59.228.86.xxx 80
> Wed Nov 18 12:55:27 2015 TCP   88.198.14xxx 58046 =>   59.228.86.xxx 80
> Wed Nov 18 12:55:27 2015 TCP   88.198.14xxx 58081 =>   59.228.86.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 37123 =>    64.238.74.xx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 37178 =>    64.238.74.xx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 41003 =>    65.20.53.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 45785 =>  65.186.130.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 45850 =>  65.186.130.xxx 80
> Wed Nov 18 12:55:26 2015 TCP   88.198.14xxx 45907 =>  65.186.130.xxx 80
> Wed Nov 18 12:55:12 2015 TCP   88.198.14xxx 60607 =>   66.87.185.xxx 80
> Wed Nov 18 12:55:12 2015 TCP   88.198.14xxx 60611 =>   66.87.185.xxx 80
> Wed Nov 18 12:55:12 2015 TCP   88.198.14xxx 60613 =>   66.87.185.xxx 80
> Wed Nov 18 12:55:14 2015 TCP   88.198.14xxx 52693 =>  69.191.200.xxx 80
> Wed Nov 18 12:55:14 2015 TCP   88.198.14xxx 52740 =>  69.191.200.xxx 80
> Wed Nov 18 12:55:14 2015 TCP   88.198.14xxx 52783 =>  69.191.200.xxx 80
> Wed Nov 18 12:55:27 2015 TCP   88.198.14xxx 35453 =>    71.54.215.xx 80
> Wed Nov 18 12:55:27 2015 TCP   88.198.14xxx 35464 =>    71.54.215.xx 80
> Wed Nov 18 12:55:12 2015 TCP   88.198.14xxx 39263 => 101.249.145.xxx 80
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>


-- 
http://www.backbox.org
http://www.pentester.iz.rs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151126/2f631b6c/attachment.html>


More information about the tor-relays mailing list