Nice thread. in my case (tor exit node):
Output only security connections;
ExitPolicy accept *:22 ExitPolicy accept *:443 ExitPolicy accept *:465 ExitPolicy accept *:995 ExitPolicy accept *:993 ExitPolicy reject *:*
Block all output like http and smtp in my netfilter (Gnu Linux);
-A OUTPUT -p tcp -m tcp --dport 80 -j DROP -A OUTPUT -p tcp -m tcp --dport 110 -j DROP etc ..
I had problems with portscan originated in my output. Even without ExitPolicy accept EX:
Dear Sir/Madam,
We have detected abuse from the IP address MYIPADDRESS, which according to a whois lookup is on your network. We would appreciate if you would investigate your logs and take action as appropriate.
Log lines are given below, but please ask if you require any further information.
(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)
Regards,
Critical Path, Inc.
Note: Local timezone is +0000 (GMT) Jan 15 16:03:00 65.20.0.47 pop3: Failed password from MYIPADDRESS Jan 15 17:40:07 65.20.0.47 pop3: Failed password from MYIPADDRESS Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS Jan 15 17:40:09 65.20.0.47 pop3: Failed password from MYIPADDRESS Jan 15 17:40:11 65.20.0.47 pop3: Failed password from MYIPADDRESS Jan 15 17:40:14 65.20.0.47 pop3: Failed password from MYIPADDRESS Jan 15 17:40:17 65.20.0.47 pop3: Failed password from MYIPADDRESS Jan 15 17:40:18 65.20.0.47 pop3: Failed password from MYIPADDRESS ****************************** ------------------------- END ------------------------------------
to keep me in a comfort zone, I installed OSSEC. OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
example of my latest incidents:
OSSEC HIDS Notification. 2014 May 23 11:45:44
Received From: darkstar->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s):
May 23 12:45:44 darkstar kernel: tor: page allocation failure. order:0, mode:0x20
--END OF NOTIFICATION
'm Slowly creating rules (regular expressions) to OSSEC for the Tor messageand treating facilities.
On Thu, May 22, 2014 at 2:31 PM, Paul Staroch paulchen@rueckgr.at wrote:
Am 2014-05-22 02:23, schrieb Contra Band:
# Allow incoming 9050 iptables -A INPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j
ACCEPT
# Allow outgoing 9050 iptables -A OUTPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j
ACCEPT
# Allow incoming 9051 iptables -A INPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j
ACCEPT
# Allow outgoing 9051 iptables -A OUTPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j
ACCEPT
Do you actually need remote access to ports 9050 (Socks proxy) and 9051 (control port)? By default, Tor opens these ports on the loopback interface only.
Paul
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays