Re: [tor-relays] Attacker IP database

Subject: Re: [tor-relays] Attacker IP database

From: Bryan Carey <z0civic483@xxxxxxxxx>

Date: Fri, 2 Aug 2013 15:25:10 -0600

Delivery-date: Fri, 02 Aug 2013 17:25:24 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=aYhmR06V5u24EHABUChwt122Y3SWdlGpNU8a9GWQC4g=; b=gpkZNNwfHKI/jhd6099ANFLKywH0Bj1aLTlk6RmDX0cn2nwOTSiZLagD1TU7vG11dP 7Cf4C47o9uK9Rh3mHY3G0puZ+A0/WvHjSnxz7nyvRRLGLPBfzLj0GDlRL4XeHogbnup3 XylFQbOldwHOlc6zaCv+dcArwPWZbnB9zrzDHAe6LXCmJFIg172+oIfhLaSIE7cPfeMj ghkh2r6FeVBLDXP3oJ8W0r72UiA51YUEvBQLFln1Z/6kUVmoE51wwJk65ur3SiGqiP4q yMEgxoIp3kQHxTLzbn6jdJdgIzvlg88tB8CY35bC6dyFrvp2+y7S+SUwpqEGH8Ux6yp8 pC+A==

In-reply-to: <51FC10D8.3090708@xxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <CA+zTX6+2v0GBP6aUcTb8WqJhaDZKhRJEz92WcrBRqL9b4mg4pw@xxxxxxxxxxxxxx> <51FC10D8.3090708@xxxxxxxxx>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Thanks everyone for your input! I already had root access disabled via sshd config. I will look into fail2ban as it sounds like it remedies the problem I'm having.

@Nick - I'm talking about attacks directed at the node, not going through it.

Thanks,

Bryan

On Fri, Aug 2, 2013 at 2:04 PM, Marina Brown <catskillmarina@xxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/02/2013 03:18 PM, Bryan Carey wrote:
> Is there any kind of compiled list of IPs that relay operators can
> refer to that are known bad IPs (sources of brute force SSH
> attempts, etc.)? Is there a reason to NOT block (drop) traffic from
> these IPs?
>
> Here are some that I have seen recently trying to brute force
> common user accounts and root password attempts: 198.50.197.98
> 220.161.148.178 223.4.217.47 199.187.125.250 175.99.95.252
> 62.64.83.38 125.209.110.234 37.235.53.172
>

To block these types of attempts i disable root access in
/etc/ssh/sshd_conf and i run fail2ban with a very strict ruleset for
sshd in /etc/fail2ban/jail.conf. Turn the bantime way up and put the
retries low like 2-3.

Fail2ban adds abusive ip addresses to the iptables in linux. You can
save the rulesets if you like with a cron job.

- --- Marina

> Also, in general what are some good security practices to keep in
> mind while running a Tor relay?
>
> Thanks, Bryan
>
>

> _______________________________________________ tor-relays mailing
> list tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJR/BDXAAoJEEy/Yrjnmw6c4TEP/Rbl1wtepRS5uDIv/OIBzxYS
VlkhTbVlgRh9fT2dK7IvHlQH0bTeQkt2sDxx4lWZJ2k157a6V2UDHuo7wZuz6NFq
FU4N7tKUIgrfyjJi24O8YKskR3XJyayTnF71fyydWUbLhzMGgGLAePr6YpYtERci
xRFfWRPbCx7zmWobR0SWtJdco+8ObsTDB6UDhn0HMPcFq5jc8+QE0j+R5/AOjFib
F+r0KbUNscBQ6qqnjr8ufvoEP4Npy+0/tLG0tF1aSR6nQz1bHpf/piyjjns3N4Wt
+a50QaXIQqUVNkgNo8KQfCDd6xktKGXtSqoaJJZulQ/37RiUhCZzkSsYZ1qa6PO/
F+k/5CJHScRblV8F5wkBJBeiFYbqMUdhF8aP5dFkHsDLL423HHYANxWfn2+ytT2A
zHxd4Z9xxCDc5+X/OvCc/lM/NChDaHgFckY8yDCvoBKXkkts9RHbdnsNYIEJCnnl
qcerY9JlFTrXbcDh1QDEkrL3yphTYTFHVb9QBMID+6xOoz2AIiy0ya9P5StoSSmB
3G/PC+DwlMzoVyoEsG7hw53EkZkeHvCnctTubIq3LGqxEgr6wJyRdTd4ONL0joZM
mHsZlmE3Dko0ae4yYGcvdl62TPrDKvRT52sNROhSE2K+wv3nWVevKbM9zwmWW+lI
xeH9tafItWfW9aI94Kyc
=AKRd
-----END PGP SIGNATURE-----

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays