[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata
From: pa011 <pa011@xxxxxx>
Date: Tue, 4 Oct 2016 17:42:08 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 04 Oct 2016 11:42:37 -0400
In-reply-to: <d69c6e0d-dd44-2946-bcaf-c2a519a464cc@cyblings.on.ca>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <9c712fac-bcd4-41eb-0aeb-f4b2bf03d967@web.de> <d69c6e0d-dd44-2946-bcaf-c2a519a464cc@cyblings.on.ca>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0

Am 04.10.2016 um 16:48 schrieb krishna e bera:
> On 04/10/16 08:48 AM, pa011 wrote:
>> One of my main ISP is going mad with the number of abuses he gets from my Exits (currently most on port 80). 
>> He asks me to install "Intrusion Prevention System Software" or shutting down the servers.
> 
> You can first ask him for a copy of the complaints in order to
> understand what sort of alleged abuses are taking place.  Are the
> complaints about spam or scraping or web server exploits or something else?

I do get a copy of every complaint - they are unfortunately:

- Http browser intrucion  - /var/log/apache2/other_vhosts_access.log:soldierx.com:80 xxx.xxx.xxx.xxx - - [30/Sep/2016:11:14:34 -0400] "HEAD / HTTP/1.0" 302 192 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"

- invalid VAT number requests

-recorded connection attempt(s) from your hosts to our honeypots

- Issue: Source has attempted the following botnet activity: Semalt Referrer 	Spam Tor Exit Bot

- botnet drone|Description: Ramnit botnet victim connection to sinkhole details,

- attackers used the method/service: *imap*

> You can change your exit policy to reduce likelihood of complaints:
> https://blog.torproject.org/blog/tips-running-exit-node

I know, but I hardly like to block port 80

>> As far as I understand implementing such a software is not going together with Tor - am I right?
> 
> If your exit nodes tamper with traffic in any way they will be labelled
> as Bad Exit. (Tor tries to be net neutral.)
> https://trac.torproject.org/projects/tor/wiki/doc/badRelays
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata
  - From: Markus Koch

References:
- [tor-relays] Intrusion Prevention System Software - Snort or Suricata
  - From: pa011
- Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata
  - From: krishna e bera

Prev by Author: [tor-relays] 33C3 Voucher
Next by Author: [tor-relays] DNS resolving -problem?
Previous by thread: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata
Next by thread: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata
Index(es):
- Author
- Thread