[tor-relays] SSH Bruteforce Attempts

[tanous .c]

Thank you all for replying,
I will answer the notification with the template mentioned by Rejo and
include the link for ExoneraTor recommended by Jon.

Best Regards,

Tanous

2017-10-04 11:34 GMT-03:00 Jonathan Proulx <jon at csail.mit.edu>:

> Here's my version of the same:
>
> Hello,
>
> The source address 128.52.128.105 is a Tor exit node, and is not the
> origin point for the traffic in question.  See
> http://tor-exit.csail.mit.edu (which is the host in your logs) for
> details.  Any action taken on this node would simply result in the
> problem traffic using a different exit.
>
> For further information please read http://tor-exit.csail.mit.edu/ the
> bottom of this page includes information on how to block all Tor exits
> should you wish to do so (including links to get a list of all current
> Tor exits).
>
> Sincerely,
> The Infrastructure Group
> MIT Computer Science and Artificial Intelligence Laboratory
>
> I recently learned about https://exonerator.torproject.org/ if you
> don't have a large institutional name to hide behind  like I do you
> may want to include that in want ever response you use to lend
> credibility to your exit claim.
>
> -Jon
>
> On Wed, Oct 04, 2017 at 08:26:06AM +0200, Rejo Zenger wrote:
> :Hey,
> :
> :Yes, I do more or less the same. If the complaint is sent using some
> automated system, I "do nothing." If the complaint is sent by a human, I'll
> answer them with a template, see below. If there is a followup response to
> that, I'll do some more explaining, oftentimes pointing them at the block
> lists provided by the Tor Project.
> :
> :Here's the default answer:
> :
> :---
> :
> :Thanks a lot for your notification. The traffic originating from the
> IP-address is traffic from a Tor exit-node. As I am not sure whether you
> are familiar with the Tor network, I would like to provide some explanation.
> :
> :Tor is network software that helps users to enhance their privacy,
> security, and safety online. It does not host any content. Rather, it is
> part of a network of nodes on the Internet that simply pass packets among
> themselves before sending them to their destinations, just as any Internet
> intermediary does. The difference is that Tor tunnels the connections such
> that no hop can learn both the source and destination of the packets,
> giving users protection from nefarious snooping on network traffic. The
> result is that, unlike most other Internet traffic, the final IP address
> that the recipient receives is not the IP address of the sender.
> :
> :I run a Tor node to provide privacy to people who need it most: average
> computer users. Tor sees use by many important segments of the population,
> including whistle blowers, journalists, Chinese dissidents skirting the
> Great Firewall and oppressive censorship, abuse victims, stalker targets,
> the US military, and law enforcement, just to name a few. While Tor is not
> designed for malicious computer users, it is true that they can use the
> network for malicious ends.
> :
> :Of course, the Tor network may be abused by others and apparently this is
> what you are seeing. I am very sorry for this to happen to you. In reality
> however, the actual amount of abuse is quite low. This is largely because
> criminals and hackers have significantly better access to privacy and
> anonymity than do the regular users whom they prey upon. Criminals can and
> do build, sell, and trade far larger and more powerful networks than Tor on
> a daily basis.
> :
> :To avoid any more traffic from this source, you could (temporarily) block
> the IP-address of my Tor exit node. You also have the option of blocking
> all exit nodes on the Tor network if you so desire.  The Tor project
> provides a web service to fetch a list of all IP addresses of Tor exit
> nodes that allow exiting to a specified IP:port combination, and an
> official DNSRBL is also available to determine if a given IP address is
> actually a Tor exit server.
> :
> :---
> :
> :
> :
> :
> :++ 04/10/17 02:44 +0000 - teor:
> :>
> :>> On 3 Oct 2017, at 22:35, tanous .c <sawtous at gmail.com> wrote:
> :>>
> :>> Have any of you had this sort of problem? I'm having difficulty
> determining if this log information represents a normal exit relay
> ocurrence or if my server has been compromised... What could i do in order
> to solve this?
> :>
> :>Yes, Profihost sent me one recently that looked very similar.
> :>Fortunately, I use OutboundBindAddress, so I knew it was
> :>(very likely to be) exit traffic.
> :>
> :>You can:
> :>* do nothing
> :>* respond and ask for verification that they want your exit
> :>   to block their site, but explain that they need to block
> :>   all Tor Exits for the traffic to stop
> :>* add exit policy entries to block each of the mentioned
> :>   IPs and ports
> :>* block port 22 on your exit
> :>
> :>I'll be doing nothing.
> :>
> :>You should consider your provider's reaction, because they
> :>may want you do something about the complaint, even if
> :>it's something ineffective.
> :>
> :>Tim
> :>_______________________________________________
> :>tor-relays mailing list
> :>tor-relays at lists.torproject.org
> :>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> :
> :
> :--
> :Rejo Zenger
> :E rejo at zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl
> :T @rejozenger | J rejo at zenger.nl
> :
> :OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
> :XMPP OTR  271A 9186 AFBC 8124 18CF  4BE2 E000 E708 F811 5ACF
>
>
>
> :_______________________________________________
> :tor-relays mailing list
> :tor-relays at lists.torproject.org
> :https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> --
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171004/7f551680/attachment-0001.html>