On Wed, 31 Jul 2013 14:48:05 -0400 Steve Snyder swsnyder@snydernet.net allegedly wrote:
I wouldn't have thought that the Tor network was fast enough for port scanning, but apparently it is. I have recently seen a rash of SSH port scanning (or so my ISP reports). What can/should I do about this?
I'm not sure exactly what you are saying here.
1. Do you mean that the scans (directed at you) all came from tor exit nodes?
2. Or do you mean that your tor node was scanned from elsewhere?
3. Or do you mean that your tor exit node was used in port scanning someone else?
I know I can limit the rate of connections using iptables. What's the consensus on this? Is this considered advisable, or a breach of expected exit node behavior?
If you are an exit node and you allow connection to port 22, and you are being used to scan others (3 above) then I would say it would be inadvisable to interfere with that connection. Better to be explict in your exit policy by denying exit to port 22. Of course that simply moves the problem to some other exit node, but your ISP will stop complaining (which may be what you need).
Do I have any options other than iptables to restrict the rate of port 22 connection attempts?
I find that there is a huge drop in ssh scanning activity if the daemon is simply moved to a non-standard port. So if the problem is 1 or 2 above, a simple sshd reconfig may help.
HTH
Mick ---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------