[tor-relays] SSH scanning on TOR Exit - Nerfing Rules

[AMuse]

Hi all! I'm curious what y'all think of this situation.

I have SSH open as an exit port on a TOR exit that my friends and I are
maintaining - and of course it's the #1 offender by far in automated abuse
notifications we get from our ISP, from peoples' fail2ban servers sending
abuse emails. This all seems like a huge waste of time, but that's a
separate issue.

I'm wondering if nerfing outbound SSH to rate limit will be effective at
getting the SSH scanning bots to stop using my exit in their circuit, while
leaving SSH open for actual humans who need to SSH while using TOR.

I've implemented, as a test, rate limiting outbound on the SSH port.  What
do you think the impact of this will be?  No impact? Losing exit status
because connections on SSH die?  Something else entirely?

Here's the pf rules in question:

pass in on $ext_if proto {tcp udp} from any to any port 9000:9150 keep state

pass in on $ext_if proto tcp from any to any port 22 keep state

pass in on $ext_if proto tcp from any to any port 80 keep state

pass out on $ext_if from any to any keep state

pass out on $ext_if proto tcp from any to any port 22 keep state
(max-src-conn 25, max-src-conn-rate 1/5 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20190829/034c34c3/attachment.html>