Abuse Notices!

Let's talk about Abuse notices that you might receive while operating a Tor Exit node. While operating an Exit node you will get an notice eventually. Maybe not today or next week, but everyone gets atleast one notice during their time running an Exit. Below you'll find out examples of what abuse notices might look like, and we'll also leave example responses you can modify an use yourself.

Example Notices

They're a lot of different types of abuse notices you might encounter. We'll show some examples that we've received personally.

Fail2Ban

We've received a ton of these 1 and done Fail2Ban notices.


~~~~~~~~~~ Beginning of message ~~~~~~~~~~


Hi, We have detected a network attack from an IP ( xxx.xxx.xxx.xxx ) from your network, a computer connected to it is probably infected and being part of a botnet. Please check it and fix it up as soon as possible. Thank you.

/

Saludos, Hemos detectado un ataque desde una ip ( xxx.xxx.xxx.xxx ) de su red, probablemente el equipo este infectado y este dentro de una botnet. Porfavor revisenlo y solucionenlo en la mayor brevedad posible. Muchas gracias.

The IP xxx.xxx.xxx.xxx has just been banned by Fail2Ban after
1 attempts against apache-critico.


Domain: censored.com (1xx.xxx.xxx.xxx)


Here are more information about xxx.xxx.xxx.xxx:
Lines containing IP:xxx.xxx.xxx.xxx in /furanet/sites/*/web/htdocs/logs/access

/furanet/sites/censored.com/web/htdocs/logs/access:xxx.xxx.xxx.xxx - - [02/Nov/2016:20:43:04 +0100] "GET /wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php HTTP/1.1" 302 - "-" "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"

Date: Mon Nov 2 20:43:04 CET 2016


Regards,

Abuse Team
Comvive Servidores SL
abuse@comvive.com

Bruteforce

We've received only a few of these.


******************************
Your IP address [xxx.xxx.xxx.xxx] has been blocked for attacking sshd on our network. Please contact abuse@censored.com if you have questions or require more information.

Timezone is EDT/EST unless otherwise noted.


Nov 2 14:21:37 censored sshd[349422]: Invalid user admin from xxx.xxx.xxx.xxx
Nov 2 14:21:37 censored sshd[349422]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Nov 2 14:21:39 censored sshd[349422]: Failed password for invalid user admin from xxx.xxx.xxx.xxx port 349422 ssh2
Nov 2 14:21:44 censored sshd[674490]: Invalid user admin from xxx.xxx.xxx.xxx
Nov 2 14:21:44 censored sshd[674490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
******************************

Example Resolutions

Here are some examples of resolution responeses for when only one IP Address is affected, and when they're multiple IP Addresses affected. Usually we personally do a slash twenty four because that covers two hundred fifty six IP Addresses. Go here to learn more

When only 1 IP is affected



Hello,

We've gone a head, and added the IP Address to our Block/Reject list.

" ExitPolicy reject xxx.xxx.xxx.xxx:* "

Please let us know if you need any further action towards this.
Thanks,

When multiple IP Addresses are affected.



Hello,

We've gone a head, and added the IP Address,
and the block around it to our Block/Reject list.

" ExitPolicy reject xxx.xxx.xxx.xxx/24:* "

Please let us know if you need any further action towards this.
Thanks,