[tor-relays] Botnet targeting Tor relays

Red Oaive clearly at ivegotyour.pw
Thu Oct 24 16:54:50 UTC 2024


On 2024-10-23 05:27, George Hartley via tor-relays wrote:
> Any advice on this?

How many concurrent exit connections do you have?  And how often do you 
see bad actors running scanners? It shouldn't be too onerous to rate 
limit on --dport 22 globally.  This is no worse than blocking 22 
outright, and any time you don't have a bad actor a relatively low limit 
on --dport 22 would hardly ever even get noticed.  How many ssh 
connections do your average 100 people open per second?  If you 
constantly, or even often have a bad actor on, then they will tend to 
take up your allowed connection count.  But if its only occasional, it 
might be a good compromise.

I'd also make the rule to reject rather than drop.  In my experience a 
lot of the ssh botnets tend to pout and go away when they get 
rejections.  Drops just keep them coming back.


For everone else working on the incoming side, knockd is your friend.  I 
found this was so much of a better solution than fail2ban.


More information about the tor-relays mailing list