Don't let your LET's server idle for nothing. Make Honey!

forest

@ralf said:

@forest said:

@ralf said:

@forest said:
Please make sure that only useful reports are sent. For example, don't report attacks from Tor exits as they are already public and such reports only cause noise for both IP reputation providers and exit operators.

To be fair, if people are using tor exits to cause trouble, then you should report it so the person running the tor exit can filter the traffic to block it. I'd hope you don't allow SMTP out of your tor exit either. If you do, please let us know all your IPs so we can easily block them all.

It's not possible to block traffic from the exit (at least, not practical), and it would be completely pointless as whoever is spamming would just use a different exit.

Sure there is.
ip-tables -A INPUT ! -d $MYIP -p tcp -m tcp --dport 22 -j REJECT

I meant it's not possible to block traffic from within the exit, i.e. doing -A OUTPUT -p tcp -m tcp --dport 22 -j DROP would cause the relay to get excluded from the network, since the proper way to tell the network not to use your exit for SSH is to use ExitPolicy reject *:22 in the configuration file.

Although I would argue nft add rule filter input ip saddr $myip tcp dport ssh ct state new accept is better.

The world will be a much nicer place.

The complete list of Tor exits, along with the ports they allow (iirc I have a couple that allow port 25) are public, so there's no need to waste time reporting them; Anyone who wants to block Tor already can.

Oh, so you can easily mark ssh as not routable over your tor exit. Sounds like they expect people will want to get rid of such abuse vectors.

It's for operating on hosts which do not understand Tor (or whose upstreams do not understand Tor). They call it the Reduced Exit Policy and it's only recommended for those instances.

Because of the way the Tor network works, it's better to just consider the entire set of exits as one entity with a shared IP reputation, and that entire list is published by the Tor Project in various forms (including a DNSBL).

Sure, but I'm talking about helping to reduce the problem tor causes to other people. Sounds like tor is a perfect use case if you want to avoid systems like fail2ban. If everybody shrugs and goes "well everyone else doesn't care, why should we?" then the problem persists. Just like allowing SMTP traffic will get you reported, so you take care to block it, you should expect if people are using your exit to hammer ssh ports, then you should also expect complaints. And there's a simple fix.

Unlike botnets, Tor announces which IPs can access port 22, so if you don't want any Tor exits trying to SSH into your system, you can block them all at once. I don't know of any botnets that tell you what IPs they are using in advance. If you're experiencing an attack over Tor, you shouldn't block individual relays, you should block all the exits, or you'll be playing a game of 3000+ whack-a-mole.

That's why reporting individual exits is pointless and a waste of time. It would be as silly as blocking an individual source port:destination IP combo to get that source port blocked (obviously the attacker will not be re-using the same source port next time). Just think of exits like source ports and the entire Tor network as one big IP.

FWIW I'm not ideologically opposed to tor, even though I'd never use it or operate a node, but I think it makes sense to help people access HTTP(S) for people in restrictive regimes, but ssh isn't really justified. If someone wants to run ssh on a non-standard port to get around the port 22 block, then you can assume they're not just using it for malice.

I've had to use Tor while on business trips to get around various blocks, and in all those cases I had to connect to standard ports. You never know when you'll need it. There isn't that much SSH abuse coming from the Tor network though, since creating new circuits is too slow. Mass scans over Tor are impractical.

Even with SSH, the majority of connections are not malicious. There was a study some years ago that showed that only 3% of Tor traffic was malicious.

ralf

OK some good points. I don't use tor, so I mostly don't know any of that, I just know I hate any kind of automated bot scanning. ssh usually doesn't bother me any more because the first thing I do when I get a new server is apply the above firewall thing (with previous rules to permit whitelisted hosts) because I'm sick of the rate of log spam from password guessers. For me, and outright ban apart from whitelisting works best.

But, I'd still say if people are using your tor exit and causing trouble, you should expect the complaints - if your host is causing someone to reach the threshold that they report it, it's obviously already too much.

forest

@ralf said:
OK some good points. I don't use tor, so I mostly don't know any of that, I just know I hate any kind of automated bot scanning. ssh usually doesn't bother me any more because the first thing I do when I get a new server is apply the above firewall thing (with previous rules to permit whitelisted hosts) because I'm sick of the rate of log spam from password guessers. For me, and outright ban apart from whitelisting works best.

I agree, whitelisting is best. Or even just using public key authentication.

But, I'd still say if people are using your tor exit and causing trouble, you should expect the complaints - if your host is causing someone to reach the threshold that they report it, it's obviously already too much.

That's one of the unfortunate but unavoidable side-effects of privacy: Either everyone has it or no one does. It just so happens that most people who want to scan the internet are going to be willing to use botnets to do so, but most people who need anonymity are SOL if they don't have Tor (or something equivalent). Criminal actors won't be inconvenienced if Tor were to stop existing, but people who really need it would be devastated. It's a worthwhile trade-off in my opinion, having a negligible effect on the total amount of abuse on the internet while having a profound effect on freedom and privacy.

SlowDD

Cloudflare for example only has binary options for TOR. Ether allow or deny. Since you can't differentiate between the users, there is no way to figure out if someone wants information from your site to stay private or is scraping it.

EOL

TimboJones

@forest said:
Criminal actors won't be inconvenienced if Tor were to stop existing

That's not true.

forest

@TimboJones said:

@forest said:
Criminal actors won't be inconvenienced if Tor were to stop existing

That's not true.

Well, they won't be severely inconvenienced. I'm sure there'd be some grumbling, especially from script kiddies, but they'd move on. Most attacks are not done over Tor due to its relatively low circuit-build rate. There's a small "cache" of pre-built circuits, so if you're trying to connect to dozens, hundreds, or thousands of distinct destinations per second, Tor will become unusably slow as it has to build a new circuit for each new connection when the cache runs out.

If Tor were to stop existing, hackers would still have:

• botnets running proxies
• hacked routers
• cheap bulletproof servers

Perverts would still have:

• eD2k networks
• PerfectDark
• Freenet/Hyphanet

Pirates would still have:

• seedboxes
• private trackers
• trading forums

Privacy activists, unwilling to break the law for their privacy, would have:

• N/A

Sure, it's not quite that simple, and there are definitely criminals who are able to benefit from the Tor network, but they would not be nearly as damaged if Tor were to disappear as people who really need it.