Greetings community,
Over last eight weeks a Tor exit that I operate has attracted more and more abuse reports and the VPS data centre is starting to lose their patience with the amount of tickets they open for each incident.
Almost all of the abuse reports are relate to attempts to access wordpress blogs by exploiting wp-admin or other scripts, and the servers are protected by bitninja, abusix, spamcop etc to automatically send abuse complaint. I am now receiving average of 2-3 per week.
I have two questions. First question - is everyone getting this high amount of wordpress related attacks from exits? Second - are there recommended steps to take to reduce or prevent this kind of activity?
Things I try so far: - run exit on reduced policy (obviously not going to have an impact on abuse traffic but did make the data centre people happy for a while) - full security check on VPS including tripwire, clamav, lastcomm etc to assure provider that the VPS is not compromised - Tor port on server has website running explaining that this is a Tor exit and linking to more information - I have offered to work with ISP to change WHOIS to my email address, but they do not seem keen on it (some blacklists that the server is added to will also block the /16 of the IP range) - Block offended host on the firewall (as a last resort)
Thanks for any suggestions
Spiros
On 16 Sep 2015, at 05:42, spiros_spiros@freemail.gr wrote:
Greetings community,
Over last eight weeks a Tor exit that I operate has attracted more and more abuse reports and the VPS data centre is starting to lose their patience with the amount of tickets they open for each incident.
Almost all of the abuse reports are relate to attempts to access wordpress blogs by exploiting wp-admin or other scripts, and the servers are protected by bitninja, abusix, spamcop etc to automatically send abuse complaint. I am now receiving average of 2-3 per week.
I have two questions. First question - is everyone getting this high amount of wordpress related attacks from exits? Second - are there recommended steps to take to reduce or prevent this kind of activity?
Things I try so far:
- run exit on reduced policy (obviously not going to have an impact on abuse traffic but did make the data centre people happy for a while)
- full security check on VPS including tripwire, clamav, lastcomm etc to assure provider that the VPS is not compromised
- Tor port on server has website running explaining that this is a Tor exit and linking to more information
- I have offered to work with ISP to change WHOIS to my email address, but they do not seem keen on it (some blacklists that the server is added to will also block the /16 of the IP range)
- Block offended host on the firewall (as a last resort)
It’s best if you block the offended hosts in the exit policy. That way, clients won’t even connect to your exit if they want to get to that address.
Use lines like:
ExitPolicy reject 1.2.3.4:80 ExitPolicy reject6 [2003::1]:443
before any lines that allow that port - right at the start of the exit policy is best.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
Hallo Spiros, in my opinion there is no real solution to it then blocking the ips in your exit policy, but that won't help these server operators, because the "hacker" will just exit via another exit node.
I guess there is no solution to this, just ask your hosting company to forward the abuse emails directly to you, I usually send them an reply similar to this:
//Beginning
Hello, according to your abuse message there were attempts to access a resource on your servers coming from our IP (w.x.y.z).
This machine (w.x.y.z) is a Tor exit node, which, as part of its normal operation, proxies traffic for other hosts on the Internet. By design, it is impossible for me to identify those other hosts or communicate with their operators.
It is one of those other hosts that tried to access the resource on your server.
I have the ability to disable proxying to specific IP address ranges and specific TCP ports, but this should be considered a last resort tactic. It does not actually prevent anyone from using Tor to send spam to a certain server or access a certain server or whatever; the traffic will just move to another exit node. Access as described by you can not be prevented with such measures.
I'm happy to work with you to minimize the impact of your service or on your network. I hope you will consider allowing our relay/node to remain in operation, as it is extremely valuable for people who need to conceal their identities online, especially in countries where access to the Internet is restricted. For more information please see https://www.torproject.org/about/overview.html#overview
//End
However, the main thing I wanted to pass on is that standard text I use, feel free, copy and use it.
greetings yl
Am 15.09.2015 um 21:42 schrieb spiros_spiros@freemail.gr:
Greetings community,
Over last eight weeks a Tor exit that I operate has attracted more and more abuse reports and the VPS data centre is starting to lose their patience with the amount of tickets they open for each incident.
Almost all of the abuse reports are relate to attempts to access wordpress blogs by exploiting wp-admin or other scripts, and the servers are protected by bitninja, abusix, spamcop etc to automatically send abuse complaint. I am now receiving average of 2-3 per week.
I have two questions. First question - is everyone getting this high amount of wordpress related attacks from exits? Second - are there recommended steps to take to reduce or prevent this kind of activity?
Things I try so far:
- run exit on reduced policy (obviously not going to have an impact on abuse traffic but did make the data centre people happy for a while)
- full security check on VPS including tripwire, clamav, lastcomm etc to assure provider that the VPS is not compromised
- Tor port on server has website running explaining that this is a Tor exit and linking to more information
- I have offered to work with ISP to change WHOIS to my email address, but they do not seem keen on it (some blacklists that the server is added to will also block the /16 of the IP range)
- Block offended host on the firewall (as a last resort)
Thanks for any suggestions
Spiros
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 16/09/15 08:36, butary@gmx.de wrote:
Hey, I also had a lot of problems with my ISP concerning abuse reports. They shutted down my exit relays several times. I got a last chance, before they notice the contract. So I decided to go a controversial way - I installed an IDS/IPS + strong firewall rules.
Hi ButAry,
Can you elaborate on this, what did you install exactly, how did you configure it, ...
Chris
The log file contains a huge amount of rejected traffic. Most of the time, Botnet traffic and shortly rising WordPress attacks. I'm not happy with my decision but it smoothed my ISP because they received less abuse reports. If someone has a more elegant solution, please advice me. Regards, ButAry *Gesendet:* Dienstag, 15. September 2015 um 19:42 Uhr *Von:* spiros_spiros@freemail.gr *An:* tor-relays@lists.torproject.org *Betreff:* [tor-relays] Preventing wp-admin related abuse report
Greetings community,
Over last eight weeks a Tor exit that I operate has attracted more and more abuse reports and the VPS data centre is starting to lose their patience with the amount of tickets they open for each incident.
Almost all of the abuse reports are relate to attempts to access wordpress blogs by exploiting wp-admin or other scripts, and the servers are protected by bitninja, abusix, spamcop etc to automatically send abuse complaint. I am now receiving average of 2-3 per week.
I have two questions. First question - is everyone getting this high amount of wordpress related attacks from exits? Second - are there recommended steps to take to reduce or prevent this kind of activity?
Things I try so far:
- run exit on reduced policy (obviously not going to have an impact on
abuse traffic but did make the data centre people happy for a while)
- full security check on VPS including tripwire, clamav, lastcomm etc to
assure provider that the VPS is not compromised
- Tor port on server has website running explaining that this is a Tor
exit and linking to more information
- I have offered to work with ISP to change WHOIS to my email address,
but they do not seem keen on it (some blacklists that the server is added to will also block the /16 of the IP range)
- Block offended host on the firewall (as a last resort)
Thanks for any suggestions
Spiros
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, Sep 15, 2015 at 22:36:27 +0200, butary@gmx.de wrote:
So I decided to go a controversial way - I installed an IDS/IPS + strong firewall rules. The log file contains a huge amount of rejected traffic. Most of the time, Botnet traffic and shortly rising WordPress attacks.
I'm not happy with my decision but it smoothed my ISP because they received less abuse reports.
You log traffic and block addresses with a firewall based on what the IDS/IPS consider bad? Please stop and consider running a middle relay or bridge instead of logging and breaking connections for clients.
If someone has a more elegant solution, please advice me.
Try to educate or change ISP. Exits can unfortunately not be operated from all networks.
Exit operators could try to maintain an (incomplete) list of addresses that often causes complains for traffic from exits. They could choose to block them using torrc. Might help a little with the ISP if the complains does not come repeatedly from the same source. But traffic would move to fewer exits and they would get more complains. This is probably a bad idea and not a solution. Worse than not running an exit to some destinations from that network? I do not know.
Regards, Johan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 09/15/2015 10:36 PM, butary@gmx.de wrote:
So I decided to go a controversial way - I installed an IDS/IPS + strong firewall rules.
Great cinema, this violates point "3." of http://www.gesetze-im-internet.de/tmg/__8.html
- -- Toralf, pgp key: 872AE508 0076E94E
On 16/09/15 07:42, spiros_spiros@freemail.gr wrote:
Greetings community,
Over last eight weeks a Tor exit that I operate has attracted more and
more abuse reports and the VPS data centre is starting to lose their patience with the amount of tickets they open for each incident.
Almost all of the abuse reports are relate to attempts to access
wordpress blogs by exploiting wp-admin or other scripts, and the servers are protected by bitninja, abusix, spamcop etc to automatically send abuse complaint. I am now receiving average of 2-3 per week.
I have two questions. First question - is everyone getting this high
amount of wordpress related attacks from exits? Second - are there recommended steps to take to reduce or prevent this kind of activity?
Hi,
I had 2 similar abuse reports this month so far - and countless ssh scan complains until I decided to block port 22. :(
Chris
Things I try so far: - run exit on reduced policy (obviously not going to have an impact on
abuse traffic but did make the data centre people happy for a while)
- full security check on VPS including tripwire, clamav, lastcomm
etc
to assure provider that the VPS is not compromised
- Tor port on server has website running explaining that this is a
Tor
exit and linking to more information
- I have offered to work with ISP to change WHOIS to my email
address,
but they do not seem keen on it (some blacklists that the server is added to will also block the /16 of the IP range)
- Block offended host on the firewall (as a last resort)
Thanks for any suggestions
Spiros
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 09/15/2015 09:42 PM, spiros_spiros@freemail.gr wrote:
I am now receiving average of 2-3 per week.
Got about a dozen after I opened port 80 for a day or so. Had to close that port again.
- -- Toralf, pgp key: 872AE508 0076E94E
tor-relays@lists.torproject.org
-
butary@gmx.de -
Christian Gagneraud -
Johan Nilsson -
spiros_spiros@freemail.gr -
Tim Wilson-Brown - teor -
Toralf Förster -
yl