[tor-relays] Botnet targeting Tor relays

boldsuck lists at for-privacy.net
Thu Oct 17 13:48:07 UTC 2024


On Thursday, 17 October 2024 13:34 DiffieHellman via tor-relays wrote:

> The solution is to disable password auth and use pubkeys only

Yes, SSH key auth should be the minimum requirement.
2FA SSH key's the way to go.

> You still get logspam, but you can stop that with sshguard or ail2bafn, note
> that setting thresholds too low will end up with you blocking yourself.

I think fail2ban for SSH is a total code overhead and child's play¹. You let
attackers connect and then parse the logs afterwards. This can be solved with
few lines of IP/NF-tables directly at the source. As early as possible,
preferably in table ingress or prerouting before conntrack is active.

¹I no longer take admins who configure fail2ban abuse seriously. I reject this
nonsense.

Most servers only need to be accessed by a few IPs or possibly 1-2 providers.
I only allow 2 ASNs in nftables.
Toralf, Enkidu-6 and I have IP/NF-tables examples on Github.
If something is unclear, please ask.


Nice pictures and very good answer:
https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail
https://unix.stackexchange.com/questions/581964/create-dynamic-blacklist-with-nftables


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 3872 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241017/ca5e773e/attachment.sig>


More information about the tor-relays mailing list