[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Ssh MITM attack when using tor

Juliusz Chroboczek wrote:
What are you supposed to do when you notice a MITM attack?  How do you
find out the exit node, and where do you report it to?

I'm running ssh as so:

ssh -A -C -o 'ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050' "$@"

Just curious -- how does ssh inform you that a man-in-the-middle (i.e. the exit node) is trying to victimize you?

If you have access to the logs on the machine you were ssh'ing into, you should find the IP address of the exit node there. Once you have identified the malicious exit node, I would inform one of the Tor designers. In the future, you can turn on Tor's logging and look in the log file there to see what your exit node is (you may have to turn off "SafeLogging" in order to see Tor node names).