[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Preventing wp-admin related abuse report

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Preventing wp-admin related abuse report
From: Christian Gagneraud <chgans@xxxxxxx>
Date: Wed, 16 Sep 2015 10:49:39 +1200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 15 Sep 2015 18:49:59 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=l07rBODXD6XYSf0JNikuQ8Zqpm7EDH3tKxFJzRt51sY=; b=0ZC6NunUA72yHcLjzn8NuA8ufUzs+SkbepS6DXHUaGDX20dRQBU+kcveRGmRuF9MIu ManxbOAv+5AVw99Ru57E8VYmAZGA1mKTspqMZLDYVSeNjPOZ8sW10xl044BhEa6t7wPR Zp84eIW2Pg+UCvcfHrx7lJe0Sm1ZBskOCbHblfZTN3TeYcP5/VZwVwbbVk/qR927lUVO HOkq4gVqYUM87V2E2MfSNPiBC0i6Ekv4B904tT36b3g6FCeBcI9hI47/wmpqlqQ8ascH X3oITMebCbwWIEM7jNe+lww3a29muERPCsdRDeXXnerZxBjHaq4CNrsiJ9Au3W4c1JBg GsYg==
In-reply-to: <trinity-8a424e91-45c1-4632-b506-c35b06e6c156-1442349387682@3capp-gmx-bs07>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <55f87499885df7.43355755@xxxxxxxxxxx> <trinity-8a424e91-45c1-4632-b506-c35b06e6c156-1442349387682@3capp-gmx-bs07>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0

On 16/09/15 08:36, butary@xxxxxx wrote:

Hey,
I also had a lot of problems with my ISP concerning abuse reports.
They shutted down my exit relays several times. I got a last chance,
before they notice the contract.
So I decided to go a controversial way - I installed an IDS/IPS + strong
firewall rules.


Hi ButAry,

Can you elaborate on this, what did you install exactly, how did youconfigure it, ...


Chris

The log file contains a huge amount of rejected traffic. Most of the
time, Botnet traffic and shortly rising WordPress attacks.
I'm not happy with my decision but it smoothed my ISP because they
received less abuse reports.
If someone has a more elegant solution, please advice me.
Regards,
ButAry
*Gesendet:* Dienstag, 15. September 2015 um 19:42 Uhr
*Von:* spiros_spiros@xxxxxxxxxxx
*An:* tor-relays@xxxxxxxxxxxxxxxxxxxx
*Betreff:* [tor-relays] Preventing wp-admin related abuse report

Greetings community,

Over last eight weeks a Tor exit that I operate has attracted more and
more abuse reports and the VPS data centre is starting to lose their
patience with the amount of tickets they open for each incident.

Almost all of the abuse reports are relate to attempts to access
wordpress blogs by exploiting wp-admin or other scripts, and the servers
are protected by bitninja, abusix, spamcop etc to automatically send
abuse complaint. I am now receiving average of 2-3 per week.

I have two questions. First question - is everyone getting this high
amount of wordpress related attacks from exits? Second - are there
recommended steps to take to reduce or prevent this kind of activity?

Things I try so far:
- run exit on reduced policy (obviously not going to have an impact on
abuse traffic but did make the data centre people happy for a while)
- full security check on VPS including tripwire, clamav, lastcomm etc to
assure provider that the VPS is not compromised
- Tor port on server has website running explaining that this is a Tor
exit and linking to more information
- I have offered to work with ISP to change WHOIS to my email address,
but they do not seem keen on it (some blacklists that the server is
added to will also block the /16 of the IP range)
- Block offended host on the firewall (as a last resort)

Thanks for any suggestions

Spiros

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Preventing wp-admin related abuse report
  - From: spiros_spiros
- Re: [tor-relays] Preventing wp-admin related abuse report
  - From: butary

Prev by Author: [tor-relays] Fwd: WG: Tor is starting without the -f /etc/tor/torrc option
Next by Author: Re: [tor-relays] Preventing wp-admin related abuse report
Previous by thread: Re: [tor-relays] Preventing wp-admin related abuse report
Next by thread: Re: [tor-relays] Preventing wp-admin related abuse report
Index(es):
- Author
- Thread