[tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

Igor Mitrofanov igor.n.mitrofanov at gmail.com
Wed Oct 4 06:26:47 UTC 2017


I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open ports to attack.

If you also take advantage of package updates over Tor (via the local SOCKS5 proxy that any Tor instance provides) the only non-OR incoming traffic you need to allow is an occasional NTP (UDP) time sync, plus ICMP 3/4 (fragmentation required). If you drop everything else, fail2ban becomes unnecessary.

The botnet can still flood the host with SYN requests, ORPort connections, etc. but brute-force attacks on SSH are no longer a risk.

-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf Of Fr33d0m4all
Sent: Tuesday, October 3, 2017 11:03 PM
To: tor-relays at lists.torproject.org
Subject: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

Hi,
My Tor middle relay public IP address is victim of SSH brute force connections’ attempts and the attack is going on since two weeks ago. It’s not a problem, the server that is listening with SSH on the same IP address than my Tor relay blocks the connections and bans the IP addresses (with Fail2Ban) but I just wanted to know if there is some campaign of attacks carried against Tor relays.. are you experiencing the same? The attacks are carried on with a botnet given the large amount of different IP addresses that I see in the logs.

Best regards,
   Fr33d0m4All
_______________________________________________
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



More information about the tor-relays mailing list