[tor-relays] Botnet targeting Tor relays
boldsuck
lists at for-privacy.net
Thu Oct 17 13:48:07 UTC 2024
On Thursday, 17 October 2024 13:34 DiffieHellman via tor-relays wrote:
> The solution is to disable password auth and use pubkeys only
Yes, SSH key auth should be the minimum requirement.
2FA SSH key's the way to go.
> You still get logspam, but you can stop that with sshguard or ail2bafn, note
> that setting thresholds too low will end up with you blocking yourself.
I think fail2ban for SSH is a total code overhead and child's play¹. You let
attackers connect and then parse the logs afterwards. This can be solved with
few lines of IP/NF-tables directly at the source. As early as possible,
preferably in table ingress or prerouting before conntrack is active.
¹I no longer take admins who configure fail2ban abuse seriously. I reject this
nonsense.
Most servers only need to be accessed by a few IPs or possibly 1-2 providers.
I only allow 2 ASNs in nftables.
Toralf, Enkidu-6 and I have IP/NF-tables examples on Github.
If something is unclear, please ask.
Nice pictures and very good answer:
https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail
https://unix.stackexchange.com/questions/581964/create-dynamic-blacklist-with-nftables
--
╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 3872 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241017/ca5e773e/attachment.sig>
More information about the tor-relays
mailing list