hi,
I'm operating a tor exit with a relatively high bandwith rate for more than 3 years.
My ISP receives more and more abuse tickets about my server regarding netscans. These netscans are executed with dest. port 80 so I'm not able to block them easily.
Any idea how to prevent netscans using my exit node? Below you find an extract of such an abuse mail.
Thanks a lot! ValiDOM
Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41518 => 46.20.92.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41545 => 46.20.92.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41575 => 46.20.92.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45219 => 59.192.63.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45218 => 59.192.63.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45217 => 59.192.63.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 42460 => 59.203.179.x 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 42517 => 59.203.179.x 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 42569 => 59.203.179.x 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 57564 => 59.211.15.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 57596 => 59.211.15.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 57631 => 59.211.15.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 58022 => 59.228.86.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 58046 => 59.228.86.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 58081 => 59.228.86.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 37123 => 64.238.74.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 37178 => 64.238.74.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41003 => 65.20.53.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45785 => 65.186.130.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45850 => 65.186.130.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45907 => 65.186.130.xxx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 60607 => 66.87.185.xxx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 60611 => 66.87.185.xxx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 60613 => 66.87.185.xxx 80 Wed Nov 18 12:55:14 2015 TCP 88.198.14xxx 52693 => 69.191.200.xxx 80 Wed Nov 18 12:55:14 2015 TCP 88.198.14xxx 52740 => 69.191.200.xxx 80 Wed Nov 18 12:55:14 2015 TCP 88.198.14xxx 52783 => 69.191.200.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 35453 => 71.54.215.xx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 35464 => 71.54.215.xx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 39263 => 101.249.145.xxx 80
Hi,
First rule is to use some firewall, 2nd is to disable that port for few days. You will not lose exit flag becuase of this, just will give you time to learn more about how to secure your node. Few friends using FirewallBuilder to learn how to build their firewall system, maybe you can start with that as well (http://www.fwbuilder.org/). Check and learn about flood attack and using iptables to block them. Good luck, maybe other node admins will have better solution for your case.
On 25 November 2015 at 23:21, Roland 'ValiDOM' Jungnickel < vali2015@validom.de> wrote:
hi,
I'm operating a tor exit with a relatively high bandwith rate for more than 3 years.
My ISP receives more and more abuse tickets about my server regarding netscans. These netscans are executed with dest. port 80 so I'm not able to block them easily.
Any idea how to prevent netscans using my exit node? Below you find an extract of such an abuse mail.
Thanks a lot! ValiDOM
Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41518 => 46.20.92.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41545 => 46.20.92.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41575 => 46.20.92.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45219 => 59.192.63.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45218 => 59.192.63.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45217 => 59.192.63.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 42460 => 59.203.179.x 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 42517 => 59.203.179.x 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 42569 => 59.203.179.x 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 57564 => 59.211.15.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 57596 => 59.211.15.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 57631 => 59.211.15.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 58022 => 59.228.86.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 58046 => 59.228.86.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 58081 => 59.228.86.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 37123 => 64.238.74.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 37178 => 64.238.74.xx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 41003 => 65.20.53.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45785 => 65.186.130.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45850 => 65.186.130.xxx 80 Wed Nov 18 12:55:26 2015 TCP 88.198.14xxx 45907 => 65.186.130.xxx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 60607 => 66.87.185.xxx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 60611 => 66.87.185.xxx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 60613 => 66.87.185.xxx 80 Wed Nov 18 12:55:14 2015 TCP 88.198.14xxx 52693 => 69.191.200.xxx 80 Wed Nov 18 12:55:14 2015 TCP 88.198.14xxx 52740 => 69.191.200.xxx 80 Wed Nov 18 12:55:14 2015 TCP 88.198.14xxx 52783 => 69.191.200.xxx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 35453 => 71.54.215.xx 80 Wed Nov 18 12:55:27 2015 TCP 88.198.14xxx 35464 => 71.54.215.xx 80 Wed Nov 18 12:55:12 2015 TCP 88.198.14xxx 39263 => 101.249.145.xxx 80
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi Roland,
On 26 Nov 2015, at 14:50, ZEROF security@netmajstor.com wrote:
Hi,
First rule is to use some firewall, 2nd is to disable that port for few days. You will not lose exit flag becuase of this
To retain the exit flag, you need to allow exiting on at least two of 80, 443, 6667, to at least a /8 IPv4 netblock.
So if you disable port 80, please consider checking you have port 6667 enabled.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
First rule is to use some firewall
No it is not, do not do this. An exit needs to pass the traffic that its exitpolicy says it will pass. Otherwise bad things happen with circuit construction and your exit gets badmouthed by users possibly to the point of being banned. If you can't provide an exitpolicy that works as written, then don't provide it.
Am 28.11.2015 um 10:20 schrieb grarpamp:
First rule is to use some firewall
No it is not, do not do this. An exit needs to pass the traffic that its exitpolicy says it will pass. Otherwise bad things happen with circuit construction and your exit gets badmouthed by users possibly to the point of being banned. If you can't provide an exitpolicy that works as written, then don't provide it.
Unfortunately, I had to do so. The below firewall rule was active for approx one month. During this time, exit-traffic did not decrease nor did I recognise any other negative effect. During this time, I got no new issues with my ISP. Last week, after some patches I rebooted the server and forgot to apply the rules again. Within 3 days, my ISP blocked the server once more because of netscan abuse....
So to say... these rules work. But most probably somebody with more iptables experience might adjust them to be even more effective AND less "problematic".
iptables -N ONEW iptables -A ONEW -o lo -j ACCEPT iptables -A ONEW -p udp --dport 53 -m limit --limit 2/sec --limit-burst 5 -j ACCEPT iptables -A ONEW -p udp --dport 80 -m limit --limit 2/sec --limit-burst 5 -j ACCEPT iptables -A ONEW -m hashlimit --hashlimit-upto 1/second --hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name ONEW -j ACCEPT iptables -A ONEW -m limit --limit 1/sec -j LOG --log-prefix "REJECTED: " iptables -A ONEW -j REJECT --reject-with icmp-admin-prohibited
Thx Vali
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 02/07/2016 09:17 PM, Roland 'ValiDOM' Jungnickel wrote:
So to say... these rules work. But most probably somebody with more iptables experience might adjust them to be even more effective AND less "problematic".
Again - it is problematic in Germany *and* you foolish the Tor directory authorities. Don't run an exit if you can't run an exit.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
Am 07.02.2016 um 21:47 schrieb Toralf Förster:
On 02/07/2016 09:17 PM, Roland 'ValiDOM' Jungnickel wrote:
So to say... these rules work. But most probably somebody with more iptables experience might adjust them to be even more effective AND less "problematic".
Again - it is problematic in Germany *and* you foolish the Tor directory authorities. Don't run an exit if you can't run an exit.
Thanks Toralf for your reply.
Regarding §8 TMG in Germany - yes, there is a risk. Honestly, I fight for this rule to apply for free Wifi-Providers (also for people just running one access point) and TOR-exitnodes. There is a current court case about free Wifi at the European Court of Justice (ECJ) I initiated, do fund-raising, public relations for and so on (C-484/14). An Advocate General will publish his opinion on the case this April.
In other words... §8 TMG and its limits are well-known to me. So why did I still apply the firewall rule the the exit? If you read the IPtables rules I adopted carefully, you see that I do not select source or target. I limit new connections based on a time-value. In my humble opinion this is like to use a small uplink; but not violating §8 TMG.
And - what would be the alternative? Find an ISP which do accept (or just not recognise) massive Netscans? Might be an option. But as of my current and past understanding, netscan is not "normal" network usage. It is abuse. As long as the Tor deamon does not offer a functionality to avoid such abuse, the only way to deal with it is a firewall rule. This should answer your second objection about to foolish the Tor directory. I just do not care if netscans over tor do not work properly ;)
Vali
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/26/2015 04:50 AM, ZEROF wrote:
First rule is to use some firewall,
No.
At least for German exits you'll violate http://www.gesetze-im-internet.de/tmg/__8.html in that case.
for more information go to https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines .
- -- Toralf, pgp: C4EACDDE 0076E94E
Am 28.11.2015 um 10:42 schrieb Toralf Förster:
At least for German exits you'll violate http://www.gesetze-im-internet.de/tmg/__8.html in that case.
(thats a rule for internet service providers; the rule sets them free from any accountability for the traffic they pass through in case they apply to some rules e.g. that they do not "select" the traffic...)
nice try ;) If that would be true, limiting an exit to certain ports would also violate that?
Vali
On Sat, 28 Nov 2015 15:12:00 +0000, Roland 'ValiDOM' Jungnickel wrote: ...
nice try ;) If that would be true, limiting an exit to certain ports would also violate that?
No. Firewalling creates a difference between what you announce to do, and what you actually do. Exit police does not.
Andreas
tor-relays@lists.torproject.org
-
Andreas Krey -
grarpamp -
Roland 'ValiDOM' Jungnickel -
Tim Wilson-Brown - teor -
Toralf Förster -
ZEROF