[tor-relays] SSH Bruteforce Attempts

Jonathan Proulx jon at csail.mit.edu
Wed Oct 4 14:34:37 UTC 2017


Here's my version of the same:

Hello,

The source address 128.52.128.105 is a Tor exit node, and is not the
origin point for the traffic in question.  See
http://tor-exit.csail.mit.edu (which is the host in your logs) for
details.  Any action taken on this node would simply result in the
problem traffic using a different exit.

For further information please read http://tor-exit.csail.mit.edu/ the
bottom of this page includes information on how to block all Tor exits
should you wish to do so (including links to get a list of all current
Tor exits).

Sincerely,
The Infrastructure Group
MIT Computer Science and Artificial Intelligence Laboratory

I recently learned about https://exonerator.torproject.org/ if you
don't have a large institutional name to hide behind  like I do you
may want to include that in want ever response you use to lend
credibility to your exit claim.

-Jon

On Wed, Oct 04, 2017 at 08:26:06AM +0200, Rejo Zenger wrote:
:Hey,
:
:Yes, I do more or less the same. If the complaint is sent using some automated system, I "do nothing." If the complaint is sent by a human, I'll answer them with a template, see below. If there is a followup response to that, I'll do some more explaining, oftentimes pointing them at the block lists provided by the Tor Project.
:
:Here's the default answer:
:
:---
:
:Thanks a lot for your notification. The traffic originating from the IP-address is traffic from a Tor exit-node. As I am not sure whether you are familiar with the Tor network, I would like to provide some explanation.
:
:Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet intermediary does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. The result is that, unlike most other Internet traffic, the final IP address that the recipient receives is not the IP address of the sender.
:
:I run a Tor node to provide privacy to people who need it most: average computer users. Tor sees use by many important segments of the population, including whistle blowers, journalists, Chinese dissidents skirting the Great Firewall and oppressive censorship, abuse victims, stalker targets, the US military, and law enforcement, just to name a few. While Tor is not designed for malicious computer users, it is true that they can use the network for malicious ends.
:
:Of course, the Tor network may be abused by others and apparently this is what you are seeing. I am very sorry for this to happen to you. In reality however, the actual amount of abuse is quite low. This is largely because criminals and hackers have significantly better access to privacy and anonymity than do the regular users whom they prey upon. Criminals can and do build, sell, and trade far larger and more powerful networks than Tor on a daily basis.
:
:To avoid any more traffic from this source, you could (temporarily) block the IP-address of my Tor exit node. You also have the option of blocking all exit nodes on the Tor network if you so desire.  The Tor project provides a web service to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a specified IP:port combination, and an official DNSRBL is also available to determine if a given IP address is actually a Tor exit server.
:
:---
:
:
:
:
:++ 04/10/17 02:44 +0000 - teor:
:>
:>> On 3 Oct 2017, at 22:35, tanous .c <sawtous at gmail.com> wrote:
:>> 
:>> Have any of you had this sort of problem? I'm having difficulty determining if this log information represents a normal exit relay ocurrence or if my server has been compromised... What could i do in order to solve this?
:>
:>Yes, Profihost sent me one recently that looked very similar.
:>Fortunately, I use OutboundBindAddress, so I knew it was
:>(very likely to be) exit traffic.
:>
:>You can:
:>* do nothing
:>* respond and ask for verification that they want your exit
:>   to block their site, but explain that they need to block
:>   all Tor Exits for the traffic to stop
:>* add exit policy entries to block each of the mentioned
:>   IPs and ports
:>* block port 22 on your exit
:>
:>I'll be doing nothing.
:>
:>You should consider your provider's reaction, because they
:>may want you do something about the complaint, even if
:>it's something ineffective.
:>
:>Tim
:>_______________________________________________
:>tor-relays mailing list
:>tor-relays at lists.torproject.org
:>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
:
:
:-- 
:Rejo Zenger
:E rejo at zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl  
:T @rejozenger | J rejo at zenger.nl
:
:OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
:XMPP OTR  271A 9186 AFBC 8124 18CF  4BE2 E000 E708 F811 5ACF



:_______________________________________________
:tor-relays mailing list
:tor-relays at lists.torproject.org
:https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171004/908757bb/attachment.sig>


More information about the tor-relays mailing list