[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Botnet targeting Tor relays

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Botnet targeting Tor relays
From: DiffieHellman via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Oct 2024 22:34:33 +1100
Cc: DiffieHellman <tor@xxxxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 17 Oct 2024 08:06:16 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1729166766; bh=v5c4E/ZR7hTt+TOOcLh3O9eaJrKPbN4Mx1sjRQCNKko=; h=To:In-Reply-To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:From; b=FemS/SgxaGojWXMo+KW8npdxtCTIPM1kHqkkdG7L8GM+EU3efU1FnNN5VtCZzEpo8 V7n3rSN1vs0/1F+Iu6JyZ17HjR7cJ3rJB8FqRJbAn9Uj7joTKVYDghC/C7C35Qer4b n5hI2C7xP4ImW5lwZrXGoZCp/X5xHDLZaQbLElxo8wb2vVRoVvwAd+B00oq0r2/Nit 1SqYDkjl40ehvhTZwG/bnasjyTegIXXW2ngMJFGPClrKRHr6jIHbROZ9n0ijRMUUtH Qs75qY9otUa6pHOxo7nWBg5GIKXrXJtXXtmWnWv0hzkUA4ezaReIfL0Yd0Nx0mp2Fq fPg7FDk3N8bTg==
In-reply-to: <5c15c963-355c-4f2d-8ab6-c43fff73510b@kai.sx> (anon@kai.sx)
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi Kai,

Any systemd/Linux system connected to the internet with IPv4 is going to be hit with endless bruteforce attempts, not just tor relays (although most tor relays have their IP addresses published online,
meaning attackers find out about such systems sooner).

The solution is to disable password auth and use pubkeys only (so bruteforcing attacks won't succeed until after the universe burns out), too bad most of the bots are incompetently programmed and keep
retrying with a password even if the sshd returns that such auth method is not available.

You still get logspam, but you can stop that with sshguard or fail2ban, note that setting thresholds too low will end up with you blocking yourself.

-- 
Kind Regards, DiffieHellman
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Botnet targeting Tor relays
  - From: anon
- Re: [tor-relays] Botnet targeting Tor relays
  - From: boldsuck via tor-relays

References:
- [tor-relays] Botnet targeting Tor relays
  - From: anon

Prev by Author: Re: [tor-relays] Exit relay not in consensus
Next by Author: Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
Previous by thread: Re: [tor-relays] Botnet targeting Tor relays
Next by thread: Re: [tor-relays] Botnet targeting Tor relays
Index(es):
- Author
- Thread