[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] Re: Possible attack on servers via Tor Guard relays?
- To: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Subject: [tor-relays] Re: Possible attack on servers via Tor Guard relays?
- From: Felix via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 19 Jan 2025 01:51:44 +0100
- In-reply-to: <e37c0942-7b47-4da3-b7cf-48f045fbd2f7@x9p.org>
- List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
- References: <e37c0942-7b47-4da3-b7cf-48f045fbd2f7@x9p.org>
- Reply-to: Felix <zwiebel@xxxxxxxxxxxxxxxx>
- Ui-outboundreport: notjunk:1;M01:P0:PRj+FAin/k8=;fgZnYnv8uf8om6YNdgziwOLW5qj tMOLsg5HITvsCu1zasYpNOy7/0FtUMSiMjjw0gu539kmnTO7y8bUVDg+1f3ssFxTOz10QfXH/ 92K4iAaVEdPH8bokRNRFo0J9K+FAN6EiHh0+guuvhoVOkiEG1M1uTHio3hZ8ucWiixNcis66s 9htajg2ZrpdYR2SEo62cn/H/OIRH+ehXAy0dFoLL+L8Szr9fhi4AOEvwpFa3hoTn7tCZoDz0A rZIChUwn93V4IZsfCpuBmMyKgdXrXI0k+VuIJAeFPBBO6fBXUSxQhSdPT3yaKw/6jsJEXT3dm fGimmAfzDMAFxoANV7zcWF6jGEwjBgaskbn4exGYLYhF1VY8NRjkQAXVptcrwPuwDvZ8DTw39 SGSi6+c6RCM/CcdAg+gc+ccWncTNdyaIOmOt1jCF+ZaIlvydF7os1wpPODDxqf3lmTF7gicwX T3Jpr8o7bNGsvSnWms1i1bCKwC1hw2It8TsUdX0POgNmyz1KBDz4TLSQIY1l1aO8jcHwLsxCm DPiB6ISMDgvPKJFRrRta/ArrV2eDSOVF9Op/dV2tqPr1agKSUxABFA3jisIiPP4RZF8h4jNFf SgZvdJxMDREOZeb21jirulgOFPc4tFPKUp+yYu2l+BEvhOT8syOP6s4VTyP/8+Dad2CMSeIXm Sd+OhgQS0B33D336qaV8nCYGS0kLx0ttxFY6lGYxOD4QdhFZPblF2p59m1E8XzRJG3ZnA0Vlp W3VJ5PfYbu6+PQcCu1qjakkrmXlMNDCdmmMMO29lX9DZk4WsM7+4v7Y700ynZyB7Wq85t3S9z YplkYfJ37f83zLF0e2qPS6KstyGbHzR499gOFV2qPPyGye0TzwEtOubcIWNTyySSNKTw9Kcox 9cLXsE1Hkvp5Ggax2VaQE9LIlMnDQ7ciJ7S9XA2GOCZ9NzTCmSx/5zZs0/OLqGtDCZn2FWg9T 5Xsriqkpo2clS3FffiHCNE8mwkh6y2nwREN2t2YmXb24Uzv9Pm2grORUjb8eaei8KUg1MsNK3 WgeELeTKd20C7Jmq15wi3XXkJWGubfVgAi5fKfhs2Ec0L1Gojm+8naLu0TF5GZWw8VhnadWaF c1eHkOMgQy8dyI1kPkvuy/jV9NLidN4yYlYhdnmbmzFoiAZ2QxTI2leIhti+0HwP6leU5pyyn tR5rnYAKCLQg184nuHl8VALI/FnQumzorsR1soxempQ==
Hi,
> I do get a "banner line contains invalid characters" error
Imo, those characters are somehow related to the communication
between the ssh client and the sshd on server. The onion skins
should not be able to access the inner most layer, in this
case the ssh communication.
> Possible attack on servers via Tor Guard relays
With the written above, the Tor node attributes should not play
a role.
> the connection is terminated. (MSG1) Upon connecting for
> the second time, everything goes smooth. (MSG2)
Starting with MSG2 the ssh connection seems to work.
Something has happend. [1] reads:
SSHFP
All SSH fingerprints (SSHFP) records of all the hosts are
added to DNS. You can verify the SSH fingerprint by adding
"-o VerifyHostKeyDNS=yes" to the ssh command.
$ ssh -o VerifyHostKeyDNS=yes serverXX.openbsd.amsterdam
The authenticity of host 'serverXX.openbsd.amsterdam' can't
be established.
ECDSA key fingerprint is
SHA256:w3ZoL03eaY/2xdRd/7NvHHwfqIOjyv2O8xkvUnqEgps.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
...
serverXX$
Secondly, the MSG1/2 examples show ssh will speak to a host
'ams02'. The log shows the onion url 'ngb...bid.onion' that
resolves to '127.42.42.0', which is not public routable.
Confusing to me.
> Any directions would be appreciated to solve the problem.
Maybe it's worth looking into local dns, host adresses and
ssh fingerprint (known host).
And what path the ssh communication takes, especially the
difference between MSG1 and MSG2.
[1] https://openbsd.amsterdam/setup.html
-
Cheers, Felix
Attachment:
pgpZQ3QEZ0JYV.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx