User avatar
ViperTKD
Lisker
Posts: 66
Joined: Mon Apr 04, 2016 11:06 pm
Location: Quebec, Canada
Contact: Facebook Twitter

How to protect your node against TOR exit nodes

Sun Apr 17, 2016 4:13 pm

Hello Liskers,

If you're like me and that security matters for you, you will find this little guide interesting. I won't share here all my security tricks but I thought this guide could be useful for many.

Since there's no point accessing a Lisk delegate node through TOR, I think it's pretty safe to just block the TOR network and eliminate that exposure for an attack.

So here's my little guide on how to effectively block TOR exit nodes on your Lisk delegate node.

First, here are some prerequisites:

Code: Select all

sudo apt-get install ipset
sudo mkdir /opt/scripts
sudo mkdir /opt/scripts/los


Now, you can just copy and paste this script below:

> sudo nano /opt/scripts/blocktor.sh

Code: Select all

#!/bin/bash
# Block TOR exit nodes
# v0.9
# by ViperTKD

echo ===== Start: $(date +"%m/%d/%Y %H:%M:%S") =====

# Temp files
TOR_IP_TMP=/tmp/tor_ip.tmp
TOR_IP_BLACKLIST_TMP=/tmp/tor_ip_blacklist.tmp

# IPSET List name
IPSET_TOR=torexitnodes

# Your IP Address
# Automatically detect you IP address
MY_IP=$(/sbin/ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
# OR ---> Remove comment '#' on line below and enter your IP address manually
#MY_IP=YOUR_IP_ADDRESS_HERE
#

# URL to get TOR exit nodes that can access your IP Address
TOR_URL="https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$MY_IP"

# Create IPSET if it doesn't exist yet
/sbin/ipset -N $IPSET_TOR iphash --hashsize 16384 >/dev/null 2>&1

# Destroy and re-create temp IPSET
/sbin/ipset --destroy "${IPSET_TOR}_TEMP" >/dev/null 2>&1
/sbin/ipset -N ${IPSET_TOR}_TEMP iphash --hashsize 16384 >/dev/null 2>&1

# Get the list of TOR exit nodes
/usr/bin/curl "$TOR_URL" > $TOR_IP_TMP

# Extract IP addresses from the list and remove empty and comment lines
grep -v '^#' $TOR_IP_TMP | grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' > $TOR_IP_BLACKLIST_TMP

# Add IP addresses to IPSEC temp list
cat $TOR_IP_BLACKLIST_TMP | while IFS= read -r ip
do
        /sbin/ipset add ${IPSET_TOR}_TEMP $ip
done

# Swap IPSET temp table and live table for minimal exposure
/sbin/ipset --swap ${IPSET_TOR} ${IPSET_TOR}_TEMP

# Remove temp set
/sbin/ipset --destroy "${IPSET_TOR}_TEMP" >/dev/null 2>&1

# Cleaning up temp files
rm -f "$TOR_IP_TMP" "$TOR_IP_BLACKLIST_TMP"

# Ensure iptables rule to block TOR exit node is there
/sbin/iptables -nL INPUT | grep "$IPSET_TOR src" &>/dev/null
if [[ $? -ne 0 ]]; then
  /sbin/iptables -I INPUT -m set --match-set $IPSET_TOR src -j DROP
fi

echo ===== End: $(date +"%m/%d/%Y %H:%M:%S") =====


Almost done. The last step is to create a cron job to run it every 5 min since the exit nodes can change at any time.

Code: Select all

sudo crontab -e


Copy and paste the following line:

Code: Select all

*/5 * * * * /bin/bash /opt/scripts/blocktor.sh >> /opt/scripts/logs/blocktor.log 2>&1


There you go! Your delegate node is now safe from attack from the TOR network.
Check my Delegate Candidacy : https://forum.lisk.io/viewtopic.php?f=6&t=246

SillySwitch33
Lisker
Posts: 46
Joined: Thu Apr 07, 2016 1:07 am

Re: How to protect your node against TOR exit nodes

Sun Apr 17, 2016 4:32 pm

Nice, thank you!
Testnet ranking around 106

User avatar
Videodrome
Lisker
Posts: 57
Joined: Tue Mar 15, 2016 11:49 pm

Re: How to protect your node against TOR exit nodes

Fri Apr 22, 2016 10:49 pm

Thanks for sharing!

User avatar
redux
Lisker
Posts: 67
Joined: Mon Mar 28, 2016 11:16 pm
Location: planet crypto

Re: How to protect your node against TOR exit nodes

Sat Apr 23, 2016 10:17 am

Here are some additional lists for rogue ip's that get dynamic updates.

The CINS Score -> ip list
Brute Force Blocker -> ip list
vote delegate: redux
SSD HW Raid ★ 8+GB mem ★ 1Gbit Uplink ★ Anti DDOS ★ CentOS 7 ★ Located in .EU

Projects: Lisk Zabbix Template | TBA.

User avatar
ViperTKD
Lisker
Posts: 66
Joined: Mon Apr 04, 2016 11:06 pm
Location: Quebec, Canada
Contact: Facebook Twitter

Re: How to protect your node against TOR exit nodes

Sat Apr 23, 2016 12:20 pm

redux wrote:Here are some additional lists for rogue ip's that get dynamic updates.

The CINS Score -> ip list
Brute Force Blocker -> ip list



Yes, those are 2 good lists! I'm using them too.

I'm actually using a total of 11 different lists right now including TOR and these 2 above.
Check my Delegate Candidacy : https://forum.lisk.io/viewtopic.php?f=6&t=246

User avatar
sgdias
Lisker
Posts: 128
Joined: Sat Mar 19, 2016 5:55 pm

Re: How to protect your node against TOR exit nodes

Sun Apr 24, 2016 5:07 pm

Very valuable information ViperTKD ! thanks for sharing.

Return to “Guides”

Who is online

Users browsing this forum: No registered users and 1 guest