[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] anyone else getting sync floods from russia?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] anyone else getting sync floods from russia?
From: lists@xxxxxxxxxxxxxxx
Date: Mon, 22 Feb 2021 01:01:25 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 21 Feb 2021 19:01:47 -0500
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=for-privacy.net; s=easymail; t=1613952090; bh=0z47kGazG2pXdEMT0tEGRaYOlwUwbnkN8TNT/jlK6Gk=; h=Date:From:To:Subject:In-Reply-To:References:From; b=mNKUk1Cg5rWhS/7j4ElV3r+LMUxY7IHZ/tAyCoRwXCHvgPnEm2PntKQdAeydKGiwU FqBecrSIUlEv0rkhtDpvRrClepxK+EaOQ/iR9FKd9GE4vqwPnrrGNHXdod+bEcDw9r kcBthOb8W8hk9H46y3uaGr95rjMWFrL+lMz/yBJxcTeDTPdqbCo6ymqmida4jHrefc jmA1tYjij7ZVJvmGCwkHs7JcR7A6sSASqzlbm250ap7AQMjl0r/fJ/mqKqAF9y37XE KPtI3N9TpQNEY+qqfW3au2utbELKLjHlqsWIp0tMaeMHmkBC+KHWqU5/TuQxZsraex +tmsvZGaq5tcw==
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=for-privacy.net; s=easymail; t=1613952089; bh=0z47kGazG2pXdEMT0tEGRaYOlwUwbnkN8TNT/jlK6Gk=; h=Date:From:To:Subject:In-Reply-To:References:From; b=t+DlkHHWsg3HuulhnWdaACoIbscuspJpXCOoG52OohD/ByQozhnfU+s7Au5VwIMIq NzzLnXBrHmU9TL1F4LU6IRHCaaYkI55Ai+7ScdqM94Apqxi5SYw5EZVJjoyj4FNeG5 vhurhYNKqVQ8TPwNxupFXl2KWP6ppynA76DWDxVAD4598jF5dOcRut37r9ZOBbvyvf M8xM1oYmVf6tRguQ7X7pN7zf6TV3bg3N9Cp2xxASZsITWgue42ZxSZu9NvJtUYyAaD vKE8EdswMV7z5ZtBtWA3UFMWBdLGZQHNqfoN51J0tHKK4oR51rSnv2At7Uxu428tvZ OEYufMomDn/Zw==
In-reply-to: <70a2cbb6-f8f2-299c-e149-633ddc3139e2@gmx.de>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <DF077F29-B1B0-43A8-8C11-CF9DB0A7CC8F@to-surf-and-protect.net> <0b30cdfd-485a-7a1d-2e0a-59741659ddb8@gmx.de> <8852B085-FD75-48EC-8A56-5776B432147F@to-surf-and-protect.net> <70a2cbb6-f8f2-299c-e149-633ddc3139e2@gmx.de>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Roundcube Webmail/1.3.3

On 21.02.2021 12:12, Toralf Förster wrote:

Would an iptables ruel with "recent" and "limit" be a solution here ?
If yes, how do you use that (do you have a code snippet)?


Example SSH:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

## Drop incoming connections which make more than 4 connection attemptsupon port 22 within ten minutes-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh--set-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh--update --seconds 600 --hitcount 4 -j DROP


## To list these damned IP's: 'nano /proc/net/xt_recent/ssh' or
## 'cat /proc/net/xt_recent/ssh > recent-ssh.txt'

Multiport example:

# Up to 15 ports can be specified. A port range (port:port) counts astwo ports.# Drop incoming connections which make more than 10 connection attemptsupon ports x-y within 1 minute-A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -mrecent --name syfloo --set-A INPUT -p tcp -m multiport --dports xx:yy -m state --state NEW -mrecent --name syfloo --update --seconds 60 --hitcount 10 -j DROP


Be sure to look for
ip_list_tot:number of IPs to remember per list
cat /sys/module/xt_recent/parameters/ip_list_tot

nifty must increase to 10000 ;-)


https://ipset.netfilter.org/iptables-extensions.man.html
--connlimit-upto & --connlimit-above looks interesting too.

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] anyone else getting sync floods from russia?
  - From: Toralf Förster

References:
- [tor-relays] anyone else getting sync floods from russia?
  - From: niftybunny
- Re: [tor-relays] anyone else getting sync floods from russia?
  - From: Toralf Förster
- Re: [tor-relays] anyone else getting sync floods from russia?
  - From: niftybunny
- Re: [tor-relays] anyone else getting sync floods from russia?
  - From: Toralf Förster

Prev by Author: [tor-relays] Tor Time Logging
Next by Author: Re: [tor-relays] orport
Previous by thread: Re: [tor-relays] anyone else getting sync floods from russia?
Next by thread: Re: [tor-relays] anyone else getting sync floods from russia?
Index(es):
- Author
- Thread