amuck-landowner

Blocking Tor Users and Tor Exit Nodes from Reaching Your Server

drmike

drmike

100% Tier-1 Gogent
So earlier tonight, vpsBoard was DDoS attacked offline.   The source,  malicious traffic from Tor.

We've taken steps TO BLOCK TOR.   No more Tor traffic.  If you use it, get a VPN or Proxy or vpsBoard will probably not work much for you.

This script is borrowed from Github and slightly modified by me to work  :)

You must have python and iptables installed.

Paste the following in your script directory --- I called mine black.py




import urllib2, subprocess, shlex, time

def addrule(ip):
dot = ip.split('.')
if len(dot)==4:
time.sleep(0.1)
subprocess.Popen(shlex.split("iptables -A BLACKLIST -s "+ip+" -j DROP"))
else:
pass

def main():
tor_list = urllib2.urlopen('http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv')

subprocess.Popen(shlex.split("iptables -N BLACKLIST"))
subprocess.Popen(shlex.split("iptables -F BLACKLIST"))
subprocess.Popen(shlex.split("iptables -A INPUT -j BLACKLIST"))

for ip_tor in tor_list.readlines():
addrule(ip_tor)
print(ip_tor)

try:
main()
except OSError:
print "You don't have Permission!"


To run this:

python black.py

That will run to Tor's public exit node list and fetch the current list.   It then loops through the list and throws the blocks down in iptables.

This should work in any Linux environment and be portable.

When done, plug it into cron at interval of once every 60 minutes.
 
Last edited by a moderator:
R

rds100

New Member
Verified Provider
Adding thousands of linear iptables rules is a bad idea - every received packet will have to pass through this long firewall chain and this will burn CPU. Better use something like ip route add blackhole ...

Besides by calling this from cron every hour, you will execute this rule "iptables -A INPUT -j BLACKLIST" over and over again, which means that after one day every packet would have to go through the blacklist chain 24 times.
 
kaniini

kaniini

Beware the bunny-rabbit!
Verified Provider
rds100 said:
Adding thousands of linear iptables rules is a bad idea - every received packet will have to pass through this long firewall chain and this will burn CPU. Better use something like ip route add blackhole ...

Besides by calling this from cron every hour, you will execute this rule "iptables -A INPUT -j BLACKLIST" over and over again, which means that after one day every packet would have to go through the blacklist chain 24 times.
Click to expand...
Actually if it is just a connection flood, configuring nginx to use accept filters / tcp_defer_accept is probably the better option.
 
DomainBop

DomainBop

Dormant VPSB Pathogen
If you're using CSF blocking TOR is a simple matter of clicking on LFD blocklists and removing a #

blocklists available to block in CSF:

# Spamhaus Don't Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

# DShield.org Recommended Block List
# Details: http://dshield.org
DSHIELD|86400|0|http://feeds.dshield.org/block.txt

# TOR Exit Nodes
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
TOR|86400|0|http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
#CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# Emerging Threats - Russian Business Networks List
# Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
#RBN|86400|0|http://rules.emergingthreats.net/blockrules/rbn-ips.txt

# OpenBL.org 30 day List
# Details: http://www.openbl.org
OPENBL|86400|0|http://www.us.openbl.org/lists/base_30days.txt

# Autoshun Shun List
# Details: http://www.autoshun.org/
AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv

# MaxMind GeoIP Anonymous Proxies
# Details: http://www.maxmind.com/en/anonymous_proxies
MAXMIND|86400|0|http://www.maxmind.com/en/anonymous_proxies
Click to expand...
 
drmike

drmike

100% Tier-1 Gogent
Keep the input coming... It is appreciated...  Lots of folks dealing with this.

CSF is on the short list.
 
raindog308

raindog308

vpsBoard Premium Member
Moderator
I thought vpsboard was behind BuyVM's DDOS protection?

Is TOR really a good DDOS vehicle?  TOR slows everything down, so I'd think that someone launching a DDOS through TOR would find their attack slowed down.  But I don't really know.

BTW, if you're going to block TOR traffic, you might want to make an announcement in the announcements section.
 
Last edited by a moderator:
MannDude

MannDude

Just a dude
vpsBoard Founder
Moderator
raindog308 said:
I thought vpsboard was behind BuyVM's DDOS protection?

Is TOR really a good DDOS vehicle?  TOR slows everything down, so I'd think that someone launching a DDOS through TOR would find their attack slowed down.  But I don't really know.

BTW, if you're going to block TOR traffic, you might want to make an announcement in the announcements section.
Click to expand...
vpsBoard is, but sometimes php requests get crazy and eat up resources. CNServers is good for most attacks, but not all attacks all the time. I'm not saying that Tor was cause of the attack, however logs show that there were a lot of Tor connections before/after attacks started so the main reasoning I want to block Tor is to prevent these easedroppers. I would never sign in for a service with Tor, so those who use it to lurk a website like this probably do so for not good reasons.

It may not be a permanent rule, but I'm curious to see how having the rule in place impacts things.
 
P

pechspilz

New Member
If you want to use iptables to weed out large numbers of IP addresses, just use ipset. It hashes IP addresses which results in a very quick lookup compared to linear parsed iptables rules. AFAIK you can store up to 2^16 addresses in each ipset list which should be enough for a TOR exit node list.

apt-get install ipset

(openVZ lacks the necessary kernel modules)

#setup blacklist & insert it in the input filter

ipset create blacklist hash:ip

iptables -I INPUT -m set --match-set blacklist src -j DROP

#blacklist an IP

ipset add blacklist 1.2.3.4
 
Amitz

Amitz

New Member
drmike said:
We've taken steps TO BLOCK TOR.   No more Tor traffic.  If you use it, get a VPN or Proxy or vpsBoard will probably not work much for you.
Click to expand...
Who is "we" in that context?

Are you part of the vpsboard.com team?

Or is it more a "we" like "We, the Doctor Mike, have decided..."? :)
 
MannDude

MannDude

Just a dude
vpsBoard Founder
Moderator
Amitz said:
Who is "we" in that context?

Are you part of the vpsboard.com team?

Or is it more a "we" like "We, the Doctor Mike, have decided..."? :)
Click to expand...
He means him and myself. When the site went down and I was working on it he hit me up on Skype to see if he could do anything to help. I mentioned a lot of IPs connecting from Tor at the time so "we" worked on a solution to prevent Tor users from connecting to the site for a while.
 
Magiobiwan

Magiobiwan

Insert Witty Statement Here
Verified Provider
The "royal we"? I WAS UNAWARE US HUMBLE FORUMERS WERE IN THE PRESENCE OF SUCH ROYALTY!
 
drmike

drmike

100% Tier-1 Gogent
Hehe, we we we go him him him in a pff.

All good since Tor went goodbye.  Site has been well behaved and seemingly more peppy to me.

I say time to ban more shitty networks.
 
Raymii

Raymii

New Member
drmike said:
I say time to ban more shitty networks.
Click to expand...
Since I started blocking China from my clients public Networks attacks dropped with over 60 percent. When Russia and half of eastern europe was added it was all over. They don't mind since they have only Dutch and UK customers mostly...


And, ipset is the way To go for larger lists. Or CSF...
 
R

rds100

New Member
Verified Provider
Raymii now block 0/0 and all attacks will stop :) Seriously, in the countries you have blocked live good people to, you know?
 
You must log in or register to reply here.
Top
amuck-landowner