Re: [tor-relays] Tor exit nodes attacking SSH?

Subject: Re: [tor-relays] Tor exit nodes attacking SSH?

Date: Wed, 9 Aug 2017 18:32:16 -0700

Delivery-date: Wed, 09 Aug 2017 21:32:36 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=itxqt/DnCmxD7F1Zvi5scfuj87NOEmWQauLPQKHHO/0=; b=riE5ZpvQte18f1mcqUydhYgT7c7bVFl7npswjZYOdGVV+gjlM9GcxBWtvFKU5QznZA KIdd/fX40Z58mvcy21LzzsxtI8WS7uJF2bforq0ijgd/rnkG+nuJJgCiYMFDO1/cShlc pYXydvID0Q1UASFqumE8E3hE8dVNjudOaUY+yTGOlGT6IaZYuFitd1RXYGw+zPieDvV7 WQYkU2Ul5gLyL6bLso7xHK2vQTxZ5OYWtetzy57soiH6Um/iA7/ixqWOgX5DNOM/3Ns5 hWp+7bu+ly9NXdEmikSfBaXRZr0g+TiIbm+cmr6kHhQ8PKqaCdmHT2QsrCiJQbYS7tCB sjlw==

In-reply-to: <20170809200830.v6lgjyus7wgrnudm@neva>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <33551502260734@web43j.yandex.ru> <20170809200830.v6lgjyus7wgrnudm@neva>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

You choose your own path and exit. It couldn't be any node before your chosen exit because of onion.

You can't look for incoming traffic on your ssh server to know the bad node. You have to know your chosen exit from the client end, to know the MITM.

On Aug 9, 2017 1:08 PM, "Alexander Nasonov" <alnsn@xxxxxxxxx> wrote:

me@xxxxxxxxxxxxxxxx wrote:
> Make a "trap" ssh server (for example on virtualbox machine
> without any sensitive data) and log in into it through tsocks.
> After that check from which ip it was logged in. This probably
> would be ip of the exit node.

What if they "bridge" mitm-ed traffic to a different host?

I saw a similar ssh warning few weeks ago but I wasn't prepared to
identify the bad exit. I set SafeLogging to 0 and I will enable
debugging via SIGUSR2 next time this happens. Can someone confirm
whether it's a good way of identifying bad exits?

--
Alex
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays