Re: [tor-relays] Botnet targeting Tor relays

Hi DiffieHellman,

The solution is to disable password auth and use pubkeys only (so bruteforcing attacks won't succeed until after the universe burns out), too bad most of the bots are incompetently programmed and keep
retrying with a password even if the sshd returns that such auth method is not available.

You still get logspam, but you can stop that with sshguard or fail2ban, note that setting thresholds too low will end up with you blocking yourself.

don't worry, such measures have been implemented. Therefore, the attacks will not be successful.

I only notice that the other servers (which are also kind of well-known out there) only receive a few attacks per day, while the Tor nodes receive well over a hundred each (would be significantly more w/o fail2ban).

So I was wondering whether a botnet is currently targeting Tor nodes in particular.

Best,
  Kai.

I only notice that the other servers (which are also kind of well-known out there) only receive a few attacks per day, while the Tor nodes receive well over a hundred each (would be significantly more w/o fail2ban).

So I was wondering whether a botnet is currently targeting Tor nodes in particular.

Security researchers use lists of known public Tor nodes for legitimate testing purposes all the time. I remember seeing a few people on Tor mailing lists scan the network for open CUPS ports when that vulnerability first came out. If legitimate folk are already scanning relays, it’d make sense that malicious threat-actors would follow suit. Reiterating what others have said before, the best way to avoid this sort of thing is to not expose SSH or non-relay services at all.