Since (ssh brute force) attacks are getting more popular through the TOR network, it may be desireable to block traffic to your server or specific ports/services. There are several ways to block traffic from TOR exit nodes, one sulution is setting up some firewall rules with iptables (and ipset).
In short ipset can be a supeb tool in combination with iptables when you need to apply rules to extended lists of ip addresses and networks. Instead of messing up iptables with hundrets of (almost similar) rules, it can be done with a single rule in iptables for a defined ipset list. This solutions will also outperform iptables-only solutions.
Install ipset package (debian/ubuntu/..):
$ apt-get install ipsetUse something like this script to insert ipset/iptables rules:
#!/bin/bash
# block all traffic or traffic to specific ports from tor exit nodes
IPSET=/sbin/ipset
IPTABLES=/sbin/iptables
CURL=/usr/bin/curl
# ports to block
#BLOCKPORTS="ALL" # block ALL ports
BLOCKPORTS="22,25,53,110,143,465,993,995,10000" # block ports, comma separated list
# time to block (default 24h => 86400)
BANTIME=86400
# ipset name
SETNAME="tor-exit-nodes"
# download ip list of tor exit nodes
IPLIST=$( $CURL -s --compressed https://check.torproject.org/exit-addresses | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n | uniq )
# create ipset (if not exist)
$IPSET create $SETNAME hash:ip timeout $BANTIME -exist
# add the ips to the ipset
for ip in $IPLIST
do
$IPSET add $SETNAME $ip -exist
done
if [ "$BLOCKPORTS" == "ALL" ]
then
# block ALL ports
# delete iptables (existing) rule (workaround against duplicates)
$IPTABLES -D INPUT -m set --match-set $SETNAME src -j DROP > /dev/null 2>&1
# insert iptables rules
$IPTABLES -I INPUT -m set --match-set $SETNAME src -j DROP
else
# block SPECIFIED ports
# delete iptables (existing) rules (workaround against duplicates)
$IPTABLES -D INPUT -m set -p tcp --match-set $SETNAME src --match multiport --dports $BLOCKPORTS -j DROP > /dev/null 2>&1
$IPTABLES -D INPUT -m set -p udp --match-set $SETNAME src --match multiport --dports $BLOCKPORTS -j DROP > /dev/null 2>&1
# insert iptables rules for tcp/udp
$IPTABLES -I INPUT -m set -p tcp --match-set $SETNAME src --match multiport --dports $BLOCKPORTS -j DROP
$IPTABLES -I INPUT -m set -p udp --match-set $SETNAME src --match multiport --dports $BLOCKPORTS -j DROP
fi
#EoF| Attribute(s): | Public | |||
| Created: | 28.04.2017 05:50 | Total Views: | 495 | |
| Last Changed: | 28.04.2017 09:09 | Total Changes: | 6 |
Δt = 0.042327880859375s