[tor-relays] Preventing wp-admin related abuse report

Tim Wilson-Brown - teor teor2345 at gmail.com
Tue Sep 15 19:45:33 UTC 2015 

> On 16 Sep 2015, at 05:42, spiros_spiros at freemail.gr wrote:
> 
> 
> Greetings community,
> 
> Over last eight weeks a Tor exit that I operate has attracted more and more abuse reports and the VPS data centre is starting to lose their patience with the amount of tickets they open for each incident.
> 
> Almost all of the abuse reports are relate to attempts to access wordpress blogs by exploiting wp-admin or other scripts, and the servers are protected by bitninja, abusix, spamcop etc to automatically send abuse complaint. I am now receiving average of 2-3 per week.
> 
> I have two questions. First question - is everyone getting this high amount of wordpress related attacks from exits? Second - are there recommended steps to take to reduce or prevent this kind of activity?
> 
> Things I try so far:
>  - run exit on reduced policy (obviously not going to have an impact on abuse traffic but did make the data centre people happy for a while)
>  - full security check on VPS including tripwire, clamav, lastcomm etc to assure provider that the VPS is not compromised
>  - Tor port on server has website running explaining that this is a Tor exit and linking to more information
>  - I have offered to work with ISP to change WHOIS to my email address, but they do not seem keen on it (some blacklists that the server is added to will also block the /16 of the IP range)
>  - Block offended host on the firewall (as a last resort)

It’s best if you block the offended hosts in the exit policy. That way, clients won’t even connect to your exit if they want to get to that address.

Use lines like:

ExitPolicy reject 1.2.3.4:80
ExitPolicy reject6 [2003::1]:443

before any lines that allow that port - right at the start of the exit policy is best.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150916/3ee8481a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150916/3ee8481a/attachment-0001.sig>

More information about the tor-relays mailing list