[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] SSH login attempts

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] SSH login attempts
From: arisbe <arisbe@xxxxxxx>
Date: Tue, 4 Sep 2018 11:22:27 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 04 Sep 2018 14:22:47 -0400
In-reply-to: <9FAA393D-380B-4C0A-B4AF-76C0EE9E8BAD@mailbox.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <9FAA393D-380B-4C0A-B4AF-76C0EE9E8BAD@mailbox.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

Hello Marcus,

On an ongoing basis, most of my relays get up to 4000 attempts eachday. It's standard practice I guess! Many, many are from just a few IPaddresses. The rest are just a few per IP address. Occasionally, I willgo beyond the fail2ban "ban" and block an IP address in iptables viaufw. I then unblock that IP address in a week or two. I set fail2banfor long blocks maybe up to 12 hours (43000-seconds).

So, harden your operating system as best you can. SSH works but disablethe password entry, X11, etc. if possible. This is always safe if yourprovider has a dashboard for you to use as a secondary access to theserver. I change my SSH port number but that only slows theprofessionals my minutes or seconds. Remember to change the fail2banSSH port number if you do that. Your host provider should have DDoSprotection for his/her entire plant.


And don't sweat it!  Learn from the experiences.


On 9/4/2018 5:35 AM, Marcus Wahle wrote:

Dear all,

Since 14:00 my logs (middle node) are spamed with around 100 faild ssh login attemps from different ips.
Is there anybody else affected?

Best regards
Marcus
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


--
One person's moral compass is another person's face in the dirt.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] SSH login attempts
  - From: Marcus Wahle

Prev by Author: Re: [tor-relays] Multi node management programs/platforms?
Next by Author: Re: [tor-relays] Help! TOR Relat dead after upgrading Ubuntu to 18.04
Previous by thread: Re: [tor-relays] SSH login attempts
Next by thread: [tor-relays] 9 routing security recommendations for relay operators
Index(es):
- Author
- Thread