[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?



Hello,

I do operate an exit node which rejects exits on port 22.

You should, by default, change your SSH port to a random 5 digit number:

Random.org Random Number Generator

And apply static IPTables rules to block connection spam even if someone portscans your system (make sure to apply this rule to your random port, I just set the port here to 22):

$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --name SSH -j DROP
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Also, disable password-based authentication entirely, and go for at least RSA4096 or even better ED25519 login rendezvous.

I promise to later do a tcpdump on my machine, and see if relays on the public lists are more affected then your average "normal" server.

Of course there are always machines, more often infected than not, scanning the IPv4
ranges for open SSH ports, which possible can be exploited.

Please wait for me reply in a few hours friend.

-GH

On Tuesday, October 29th, 2024 at 4:33 AM, Pierre Bourdon delroth@xxxxxxxxx wrote:

Hi relay ops,
By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Software Engineer @ Zürich, Switzerland
https://delroth.net/
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Attachment: publickey - hartley_george@proton.me - 0xAEE8E00F.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays