Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx, "delroth@xxxxxxxxx" <delroth@xxxxxxxxx>

Subject: Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

From: George Hartley via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Date: Sat, 02 Nov 2024 13:47:20 +0000

Cc: George Hartley <hartley_george@xxxxxxxxx>

Delivery-date: Mon, 04 Nov 2024 04:41:25 -0500

Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1730712871; bh=v7uul0FzBL40/lV5x7KgxTDZD1gHT31XhMMPdB/fxo4=; h=Date:To:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=Rb1x8swj03N0b+GkAYZMpVYoD0jHS66LKNEoUqAouBSsDHQC9YJAEiBNPFZZCyfhB dEmN4epqO0jXh/ifPElQa9PD5TBv6A3pesWgrAiGMFMUEJNCqFzdz+MAU4XMjZfMyD xPyPAZ6I2cKjPdjhOZvi0epgNXySFmTkuFci1TiLH5NPpiATVJcH/W9Ra/NEK7oG3a EcxmoEySGU9Q5Ln+CNqPKEzJo3phD6T43zKAsTyXKUTaax0eVprhDvj7vVNWN3mr+f ugg6EYfJSEtOxpsCxFwB/Msx7Wa7AH8EiRuOFZbwW/T8onVV2YGmfs6V1G+GNQbcom cpsNkeh99BxOA==

Feedback-id: 68993610:user:proton

In-reply-to: <CA+V6dmizGEo4Y=3tCFmK_xNm7W=d7zh4W=0aypyyzVR+Hn4uoA@mail.gmail.com>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <CA+V6dmizGEo4Y=3tCFmK_xNm7W=d7zh4W=0aypyyzVR+Hn4uoA@mail.gmail.com>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hello,

I do operate an exit node which rejects exits on port 22.

You should, by default, change your SSH port to a random 5 digit number:

Random.org Random Number Generator

And apply static IPTables rules to block connection spam even if someone portscans your system (make sure to apply this rule to your random port, I just set the port here to 22):

$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --name SSH -j DROP
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Also, disable password-based authentication entirely, and go for at least RSA4096 or even better ED25519 login rendezvous.

I promise to later do a tcpdump on my machine, and see if relays on the public lists are more affected then your average "normal" server.

Of course there are always machines, more often infected than not, scanning the IPv4

ranges for open SSH ports, which possible can be exploited.

Please wait for me reply in a few hours friend.

-GH

On Tuesday, October 29th, 2024 at 4:33 AM, Pierre Bourdon delroth@xxxxxxxxx wrote:

Hi relay ops,
By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Software Engineer @ Zürich, Switzerland
https://delroth.net/
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays