[tor-relays] Preventing wp-admin related abuse report

Christian Gagneraud chgans at gna.org
Tue Sep 15 22:49:39 UTC 2015


On 16/09/15 08:36, butary at gmx.de wrote:
> Hey,
> I also had a lot of problems with my ISP concerning abuse reports.
> They shutted down my exit relays several times. I got a last chance,
> before they notice the contract.
> So I decided to go a controversial way - I installed an IDS/IPS + strong
> firewall rules.

Hi ButAry,

Can you elaborate on this, what did you install exactly, how did you 
configure it, ...

Chris

> The log file contains a huge amount of rejected traffic. Most of the
> time, Botnet traffic and shortly rising WordPress attacks.
> I'm not happy with my decision but it smoothed my ISP because they
> received less abuse reports.
> If someone has a more elegant solution, please advice me.
> Regards,
> ButAry
> *Gesendet:* Dienstag, 15. September 2015 um 19:42 Uhr
> *Von:* spiros_spiros at freemail.gr
> *An:* tor-relays at lists.torproject.org
> *Betreff:* [tor-relays] Preventing wp-admin related abuse report
>
> Greetings community,
>
> Over last eight weeks a Tor exit that I operate has attracted more and
> more abuse reports and the VPS data centre is starting to lose their
> patience with the amount of tickets they open for each incident.
>
> Almost all of the abuse reports are relate to attempts to access
> wordpress blogs by exploiting wp-admin or other scripts, and the servers
> are protected by bitninja, abusix, spamcop etc to automatically send
> abuse complaint. I am now receiving average of 2-3 per week.
>
> I have two questions. First question - is everyone getting this high
> amount of wordpress related attacks from exits? Second - are there
> recommended steps to take to reduce or prevent this kind of activity?
>
> Things I try so far:
> - run exit on reduced policy (obviously not going to have an impact on
> abuse traffic but did make the data centre people happy for a while)
> - full security check on VPS including tripwire, clamav, lastcomm etc to
> assure provider that the VPS is not compromised
> - Tor port on server has website running explaining that this is a Tor
> exit and linking to more information
> - I have offered to work with ISP to change WHOIS to my email address,
> but they do not seem keen on it (some blacklists that the server is
> added to will also block the /16 of the IP range)
> - Block offended host on the firewall (as a last resort)
>
> Thanks for any suggestions
>
> Spiros
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>



More information about the tor-relays mailing list