[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Botnet targeting Tor relays

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Botnet targeting Tor relays
From: Red Oaive via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Oct 2024 13:54:50 -0300
Cc: Red Oaive <clearly@xxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 25 Oct 2024 02:29:19 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1729837720; bh=V2RlLYNE8ZXPvXQ6PALHVp6Phj9cULj9/YrsQwRAkdQ=; h=Date:To:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=fdn4aSpinqtTQtJJs8MjSw88f8X/QDBPOb6oOnrBw6ccYQQvAMXfZ2JR3jlbK+dWd 3Smbad16YSjDtytJrOPMneeXnxPOTu+PIqF9/o/NsfrK1KybtY5Zpuf9aSpE6d4QYc rTiqyIEborQxCxA9K/EIxN3DaluXK+hgBSgEmFBGf5Wp0Uazez4SZA5Imkv25u0Qxl FO9LrDz/2LeL1jSRISQeltbh7WSrT/LvcVwvdry4RgBszdaDf8JobJXQIjeFGM/WxA lcAkOqUQj3ot32LA8RqdMAVqs7zm3H01I/cNeOVW1GcmhhRVLTZsHrT/aSQ2MdherS rqvzO4vr06r+Q==
In-reply-to: <XRQ1nMeHY9SBbL2NsWHo8sgjpOBEamj60xj5ePVRMfExs7QXWaprqexXDqbVbumjRWrl-F3VIycu_rsF6tcRDFOaxZdVMlz0WWQ3efZVsOE=@proton.me>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <5c15c963-355c-4f2d-8ab6-c43fff73510b@kai.sx> <XRQ1nMeHY9SBbL2NsWHo8sgjpOBEamj60xj5ePVRMfExs7QXWaprqexXDqbVbumjRWrl-F3VIycu_rsF6tcRDFOaxZdVMlz0WWQ3efZVsOE=@proton.me>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 2024-10-23 05:27, George Hartley via tor-relays wrote:

Any advice on this?

How many concurrent exit connections do you have? And how often do yousee bad actors running scanners? It shouldn't be too onerous to ratelimit on --dport 22 globally. This is no worse than blocking 22outright, and any time you don't have a bad actor a relatively low limiton --dport 22 would hardly ever even get noticed. How many sshconnections do your average 100 people open per second? If youconstantly, or even often have a bad actor on, then they will tend totake up your allowed connection count. But if its only occasional, itmight be a good compromise.

I'd also make the rule to reject rather than drop. In my experience alot of the ssh botnets tend to pout and go away when they getrejections. Drops just keep them coming back.

For everone else working on the incoming side, knockd is your friend. Ifound this was so much of a better solution than fail2ban.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Botnet targeting Tor relays
  - From: anon
- Re: [tor-relays] Botnet targeting Tor relays
  - From: George Hartley via tor-relays

Prev by Author: Re: [tor-relays] DDOS mitigation with nftables
Next by Author: Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
Previous by thread: Re: [tor-relays] Botnet targeting Tor relays
Next by thread: [tor-relays] Tor Relay Operator Community Health - Final report (June 2024)
Index(es):
- Author
- Thread