[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Botnet targeting Tor relays



On Thursday, 17 October 2024 13:34 DiffieHellman via tor-relays wrote:

> The solution is to disable password auth and use pubkeys only

Yes, SSH key auth should be the minimum requirement.
2FA SSH key's the way to go.

> You still get logspam, but you can stop that with sshguard or ail2bafn, note
> that setting thresholds too low will end up with you blocking yourself.

I think fail2ban for SSH is a total code overhead and child's play¹. You let
attackers connect and then parse the logs afterwards. This can be solved with
few lines of IP/NF-tables directly at the source. As early as possible,
preferably in table ingress or prerouting before conntrack is active.

¹I no longer take admins who configure fail2ban abuse seriously. I reject this
nonsense.

Most servers only need to be accessed by a few IPs or possibly 1-2 providers.
I only allow 2 ASNs in nftables.
Toralf, Enkidu-6 and I have IP/NF-tables examples on Github.
If something is unclear, please ask.


Nice pictures and very good answer:
https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail
https://unix.stackexchange.com/questions/581964/create-dynamic-blacklist-with-nftables


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays