[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] SSH Bruteforce Attempts

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] SSH Bruteforce Attempts
From: teor <teor2345@xxxxxxxxx>
Date: Tue, 3 Oct 2017 22:44:46 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 03 Oct 2017 22:45:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:date:subject:message-id :references:in-reply-to:to; bh=UBfPup9eZuSoNAAzpl54LhSH/00OKUKoDbG57Aa0BAQ=; b=h8r7gJV0RZ1Oibn7ma1wX5vrvwBh29pH2WTcOsxfXugt9jo53291mDGA0/KPQLSmBw UVZTl+6YlS19rpebw26D6KESlA484N//lVmHI1W9DdFjto1R5b44bhTwxRac6evnrNBg XLYJUuEZmvCKvOl+uJWLNMqaf+C63qxR85Xi1LSir3iRgTxutEdGLq2zpumutYmKtOfJ /yT6+rNKroBEU3iNulaaFmo5/7eV7ImMLtlz3n3Y8TYtk8ztTnxRROZZHdWge2Xxyi1x Hikaw95qmF7zIxvtRBDhjnnDHS6S7Weq9igGDf5gCMus9SFa3a8qiPaZfJgl7gTXXC9O p3gg==
In-reply-to: <CANjoJ7m=eV=zMjNVgMSvfs6aUxT_0Lb7_5zxgG_qUY9MY+sBrA@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <CANjoJ7m=eV=zMjNVgMSvfs6aUxT_0Lb7_5zxgG_qUY9MY+sBrA@mail.gmail.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

> On 3 Oct 2017, at 22:35, tanous .c <sawtous@xxxxxxxxx> wrote:
> 
> Have any of you had this sort of problem? I'm having difficulty determining if this log information represents a normal exit relay ocurrence or if my server has been compromised... What could i do in order to solve this?

Yes, Profihost sent me one recently that looked very similar.
Fortunately, I use OutboundBindAddress, so I knew it was
(very likely to be) exit traffic.

You can:
* do nothing
* respond and ask for verification that they want your exit
   to block their site, but explain that they need to block
   all Tor Exits for the traffic to stop
* add exit policy entries to block each of the mentioned
   IPs and ports
* block port 22 on your exit

I'll be doing nothing.

You should consider your provider's reaction, because they
may want you do something about the complaint, even if
it's something ineffective.

Tim
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] SSH Bruteforce Attempts
  - From: Rejo Zenger

References:
- [tor-relays] SSH Bruteforce Attempts
  - From: tanous .c

Prev by Author: Re: [tor-relays] About relay size
Next by Author: Re: [tor-relays] sum of consensus weight of 2 relays running at the same IP
Previous by thread: [tor-relays] SSH Bruteforce Attempts
Next by thread: Re: [tor-relays] SSH Bruteforce Attempts
Index(es):
- Author
- Thread