[tor-relays] Botnet targeting Tor relays
Red Oaive
clearly at ivegotyour.pw
Thu Oct 24 16:54:50 UTC 2024
On 2024-10-23 05:27, George Hartley via tor-relays wrote:
> Any advice on this?
How many concurrent exit connections do you have? And how often do you
see bad actors running scanners? It shouldn't be too onerous to rate
limit on --dport 22 globally. This is no worse than blocking 22
outright, and any time you don't have a bad actor a relatively low limit
on --dport 22 would hardly ever even get noticed. How many ssh
connections do your average 100 people open per second? If you
constantly, or even often have a bad actor on, then they will tend to
take up your allowed connection count. But if its only occasional, it
might be a good compromise.
I'd also make the rule to reject rather than drop. In my experience a
lot of the ssh botnets tend to pout and go away when they get
rejections. Drops just keep them coming back.
For everone else working on the incoming side, knockd is your friend. I
found this was so much of a better solution than fail2ban.
More information about the tor-relays
mailing list