[tor-relays] SSH scanning on TOR Exit - Nerfing Rules
Matt Corallo
tor-lists at mattcorallo.com
Mon Sep 16 12:32:18 UTC 2019
I've taken to contacting the sender of the automated abuse reports and
noting that sending such emails may actually not be legal (at least in
the US) under CAN-SPAM. In some cases I've seen positive response as
people aren't even aware their random server with fail2ban is sending
these things.
Matt
On 8/29/19 11:26 PM, AMuse wrote:
> Hi all! I'm curious what y'all think of this situation.
>
> I have SSH open as an exit port on a TOR exit that my friends and I are
> maintaining - and of course it's the #1 offender by far in automated
> abuse notifications we get from our ISP, from peoples' fail2ban servers
> sending abuse emails. This all seems like a huge waste of time, but
> that's a separate issue.
>
> I'm wondering if nerfing outbound SSH to rate limit will be effective at
> getting the SSH scanning bots to stop using my exit in their circuit,
> while leaving SSH open for actual humans who need to SSH while using TOR.
>
> I've implemented, as a test, rate limiting outbound on the SSH port.
> What do you think the impact of this will be? No impact? Losing exit
> status because connections on SSH die? Something else entirely?
>
> Here's the pf rules in question:
>
> pass in on $ext_if proto {tcp udp} from any to any port 9000:9150 keep state
>
> pass in on $ext_if proto tcp from any to any port 22 keep state
>
> pass in on $ext_if proto tcp from any to any port 80 keep state
>
> pass out on $ext_if from any to any keep state
>
> pass out on $ext_if proto tcp from any to any port 22 keep state
> (max-src-conn 25, max-src-conn-rate 1/5 )
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
More information about the tor-relays
mailing list