[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor node break-in attempts

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Tor node break-in attempts
From: starlight.2015q3@xxxxxxxxxxx
Date: Thu, 22 Oct 2015 23:48:29 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 23 Oct 2015 00:04:48 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

>
> Attack counts are in the 100,000s.
>

This sort of thing posses no threat and
is quite stupid as previously observed.

Is mainly annoying for the mess it makes
of /var/log/security.

If you don't want to change the SSH port
(best solution IMO), here's an 'iptables'
rule that will fix it (adjust/rearrange as
needed/desired).  These lines assume they
will go in /etc/sysconfig/iptables.
You can run them manually by prefixing with
the 'ipbables' command.  I wrote this
without looking at the default 'iptables'
file for any distro and if you are using
one, revise accordingly or rename the
original and start from scratch.

-N input_eth0

-A INPUT -i eth0 -j input_eth0

-A input_eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

-A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACK -j DROP

-A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --set --name SSH_ATTACK -j ACCEPT

==========

Because we all make mistakes, you should *TEST*
the rule by KEEPING A LIVE CONNECTION active
and logging in a second time or you may lock
yourself out of your server.  Use

   iptables -nvL

to display the counters and look for the lock-out
effect after 'hitcount' attempts.  Also look in

   cat /proc/net/xt_recent/SSH_ATTACK

for the login tries and lock-out.  You can clear
an IP with

   echo "-x.x.x.x" >>/proc/net/xt_recent/SSH_ATTACK

==========

If you want a bigger hash table and more history
than the default, you can create

   /etc/modprobe.d/xt_recent.conf

and put something like

   options xt_recent ip_list_tot=16384 ip_pkt_list_tot=255

in it.

==========

Some documentation at http://linux.die.net/man/8/iptables

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] Tools for managing multiple relays
Next by Author: Re: [tor-relays] too many circuit creation requests
Previous by thread: Re: [tor-relays] Tor node break-in attempts
Next by thread: [tor-relays] Cheap VPS provider for an exit node
Index(es):
- Author
- Thread