[tor-relays] SSH scanning on TOR Exit - Nerfing Rules
teor
teor at riseup.net
Fri Aug 30 07:47:05 UTC 2019
Hi,
> On 30 Aug 2019, at 09:26, AMuse <tor-amuse at foofus.com> wrote:
>
> I have SSH open as an exit port on a TOR exit that my friends and I are maintaining - and of course it's the #1 offender by far in automated abuse notifications we get from our ISP, from peoples' fail2ban servers sending abuse emails. This all seems like a huge waste of time, but that's a separate issue.
>
> I'm wondering if nerfing outbound SSH to rate limit will be effective at getting the SSH scanning bots to stop using my exit in their circuit, while leaving SSH open for actual humans who need to SSH while using TOR.
I ran some large exits from 2016-2018, and I thought about this issue a lot.
Usually while dealing with automated abuse mails.
Ideally, we want a DoS mode that:
* allows the first connection from a circuit at full speed
* with each extra rapid connection, gradually slows connections from the
same circuit
There's a bunch of fine tuning we could do by port, traffic volume,
and how busy other circuits are.
But that needs to be implemented in Tor, because only Tor can see circuits.
> I've implemented, as a test, rate limiting outbound on the SSH port. What do you think the impact of this will be? No impact?
Probably.
> Losing exit status because connections on SSH die?
Unlikely. I think Exitmap only measures HTTP(S).
> Something else entirely?
Maybe scanners will move to another exit.
Maybe some SSH connections will be blocked, you should set your exit in
a client's torrc and try it out:
ExitNodes (fingerprint)
StrictNodes 1
T
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20190830/9dc48f74/attachment.sig>
More information about the tor-relays
mailing list