Re: [tor-relays] DDOS alerts from my provider

eff_03675549 · 2024-08-08T20:20:35.000Z

Hi Rafo,

My apologies for the late reply in your request for the code on banning tor exits into GUARDS or middle-relays

rm …/…/etc/cron.d/updateSSHkey

echo “0 0 * * * root wget -P /root/scriptsremote/ https://check.torproject.org/torbulkexitlist” > …/…/etc/cron.d/blacklistTORexits
echo “1 1 * * * root sed ‘s/^/-A ufw-before-input -s /; s/$/ -j DROP/’ /root/scriptsremote/torbulkexitlist” >> …/…/etc/cron.d/blacklistTORexits
echo “2 1 * * * root sed -i ‘/# End required lines/r /root/scriptsremote/torbulkexitlist’ /etc/ufw/before.rules” >> …/…/etc/cron.d/blacklistTORexits
echo “3 1 * * * root rm /root/scriptsremote/torbulkexitlist” >> …/…/etc/cron.d/blacklistTORexits

apt install -y fail2ban

rm …/…/etc/fail2ban/jail.d/sshd.conf
touch …/…/etc/fail2ban/jail.d/sshd.conf
echo “[sshd]” > …/…/etc/fail2ban/jail.d/sshd.conf
echo “enabled = true” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “port = 11218” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “filter = sshd” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “logpath = /var/log/auth.log” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “maxretry = 5” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “bantime = 24h” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “bantime.increment = true” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “bantime.factor = 24” >> …/…/etc/fail2ban/jail.d/sshd.conf
echo “bantime.maxtime = 52w” >> …/…/etc/fail2ban/jail.d/sshd.conf

Here I hope this is well received,

Carlos.

···

On 7/10/24 1:19 AM, god-gave-you-mouth-ears-eyes-so-enjoy@posteo.net wrote:

Hi Rafo,

I have a pre-defined fail2ban (jail) script that does all the job of banning any tor-EXIT -dynamically updated via cron- from attempting access when this helps.

This is meant for Debian,

the synthax could do with fedora (perhaps a few code adaptation).

let me know when this is of interest.

Carlos.

-- 
PGP updated every second week : please actualize our communication every time.

On 7/8/24 7:34 PM, Rafo (r4fo.com) via tor-relays wrote:

Hi,
I have been running a relay for a few months now without any problems. But this week I’ve received 2 DDoS alerts from my provider (Netcup), both are ~3 gigabits. They seem to be coming from other Tor relays.
I’m running an Invidious like instance on my server (which uses around 600 megabits) but I have a 2.5 gigabit port. So I configured my Tor relay to use 300-400 megabits.
I’m not sure where that 3 gigabit of data comes from.
I have lowered my advertised bandwidth to 100 megabits, would that be enough to prevent these kind of issues?

Kind regards,

Rafo
_______________________________________________
tor-relays mailing list
[tor-relays@lists.torproject.org](mailto:tor-relays@lists.torproject.org)
[https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays](https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays)

-- 
Updated every second week.

-----BEGIN PGP PUBLIC KEY BLOCK-----

xjMEZfy9NxYJKwYBBAHaRw8BAQdAManzdqpnuQkafKwGP49famHD40TRuz3tlk2S
6x9w7afNP0d1c3QgT09ITlRFUiA8Z29kLWdhdmUteW91LW1vdXRoLWVhcnMtZXll
cy1zby1lbmpveUBwb3N0ZW8ubmV0PsKPBBMWCAA3FiEEEAD7hg5vFuAk80AxAZJk
LcbaZlUFAmX8vTcFCQATxoACGwMECwkIBwUVCAkKCwUWAgMBAAAKCRABkmQtxtpm
VRErAQDPkO6rew8L0fv+YkObGBGL58dxZtWbELZqDjICDi5A6QD/QC4978BycOFq
ZAx/N9ihgNLRm6Sg1EUupAoaVMcDVA7OOARl/L04EgorBgEEAZdVAQUBAQdA0Xrh
XPXwikKTr7amFdFv57VCWtansLWJCnYqFAVWYmADAQgHwn4EGBYIACYWIQQQAPuG
Dm8W4CTzQDEBkmQtxtpmVQUCZfy9OAUJABPGgAIbDAAKCRABkmQtxtpmVfxdAQDL
TRwNnIeZ//Y4kahWP+WWS7qb6EmM1mCtjRc3IadSDgD+Nh1xGFt00AQtG+oMKF/J
GwnLbMda6bMdvCIXN+U1LQw=
=z8PX
-----END PGP PUBLIC KEY BLOCK-----