1 Ryan MacNeille [ ryan.macneille@gmail.com ] Tor Exit Node Block Scripts The Tor Browser is an Open Source project that allows its users to browse the internet using highly encrypted connections with anonymous servers around the world in order to hide their identity. Tor is also a common tool for accessing what is known as the Deep Web; a hidden portion of the internet containing a vast collection of illegal material including the execution of network attacks by serious hackers. Due to the complexity of tracking the IP addresses associated with Tor, it is nearly impossible to find the real source of attacks. The Tor Project (thetorproject.org) offers a Python script to view a list of IP addresses associated with the Tor network. Unfortunately, the list of IP addresses changes very frequently for security purposes. Therefore there has been no specified means to block these connections to keep hackers from attempting to gain access to network resources anonymously. TorBlock (For Windows & Linux) TorBlock is a Bash script I designed to automatically configure servers to block Tor traffic to websites on port 80 and keep its list of Tor nodes updated. The code is available for download here: http://flauk.com/tor/torblock.sh The script offers two configuration options; 1. Configuring IPTABLES on a local Linux server: a. Updates the list of Tor nodes and explicitly denies access using Linux IPTABLES commands. Tor list updates with Cron, at a frequency of the user s choice. 2. Configuring a remote Windows Apache Server s.htaccess file: a. Updates the list of Tor nodes from a Linux machine and modifies the syntax for the Apache.htaccess file b. Uses FTP to transfer the list to the Windows web server where an additional script will be run (See last page) TorTrack (For Windows & Linux) TorTrack is an additional Bash script for tracking access attempts from Tor exit nodes. The script renews the Tor list and parses through the web server s access log to show when and how often a Tor node attempts to access your website. This can also be run for the remote Windows machine using FTP to transfer the access log. The code is available for download here: http://flauk.com/tor/tortrack.sh TorTrack also has additional uses, including a documented process for tracking Tor requests from any log or error page. Additional instructions are on page 10.
2 Ryan MacNeille [ ryan.macneille@gmail.com ] TorBlock (Linux) Proof of Concept: (http://www.flauk.com/tor/torblock.sh)
3 Ryan MacNeille [ ryan.macneille@gmail.com ] TorBlock (Windows) Proof of Concept
4 Ryan MacNeille [ ryan.macneille@gmail.com ] TorTrack (Linux) Proof of Concept (http://www.flauk.com/tor/tortrack.sh)
5 Ryan MacNeille [ ryan.macneille@gmail.com ] TorTrack (Windows) Proof of Concept
6 Ryan MacNeille [ ryan.macneille@gmail.com ] TorBlock Code: ---BEGIN CODE PASTE--- #!/bin/bash # Blocking Tor Exit nodes on Windows-Apache or Linux Servers # Ryan MacNeille [flauk.com] - 2012 read -p "Installing for a remote Windows Web Server? (y/n)" yn case $yn in [Yy]* ) # REMOTE WINDOWS SERVER CONFIGURATION # SET YOUR WINDOWS SERVER FTP VARIABLES HERE FTP_HOST=MySite.com FTP_USER=John.Doe FTP_PASS=Password1234 # REPLACE THIS STRING WITH YOUR STATIC IP IF APPLICABLE IP_ADDRESS=123.123.123.123 # Generate Updated Tor-Node List echo --- Retrieving updated Tor node list from TorProject.org wget -q -O - "https://check.torproject.org/cgi-bin/torbulkexitlist.py?ip=$ip_address&port=80" -U NoSuchBrowser/1.0 > /tmp/full.tor tail -n +4 /tmp/full.tor > /tmp/tor.list echo "--- Preparing list for.htaccess" sed -i -e 's/^/deny from /' /tmp/tor.list > /dev/null 2>&1 sed -i 1i"Order Allow,Deny" /tmp/tor.list > /dev/null 2>&1 echo -e "\r\nallow from all" >> /tmp/tor.list > /dev/null 2>&1 sed -i 's ^#.*$ g' /tmp/tor.list > /dev/null 2>&1 echo -e "\r\n" cat - /tmp/tor.list > /dev/null 2>&1 # Retrieve Updated Apache Access Log From Web Server & Send the Tor List echo --- "Sending information to the Windows Server FTP" ftp -inv $FTP_HOST << EOF user $FTP_USER $FTP_PASS put /tmp/tor.list Tor_List.txt bye > /dev/null 2>&1
7 Ryan MacNeille [ ryan.macneille@gmail.com ] EOF echo --- "Configuration is complete, be sure to configure your Windows Server to complete the Installation Process" ;; [Nn]* ) # LINUX APACHE WEB SERVER CONFIGURATION IPTABLES_TARGET="DROP" IPTABLES_CHAINNAME="TOR" IP_ADDRESS=123.123.123.123 WORKING_DIR="/tmp/ # If string doesn t exist, create it. if! iptables -L "$IPTABLES_CHAINNAME" -n >/dev/null 2>&1 ; then iptables -N "$IPTABLES_CHAINNAME" >/dev/null 2>&1 fi cd $WORKING_DIR echo --- Retrieving updated Tor node list from TorProject.org wget -q -O - "https://check.torproject.org/cgi-bin/torbulkexitlist.py?ip=$ip_address&port=80" -U NoSuchBrowser/1.0 > /tmp/full.tor sed -i 's ^#.*$ g' /tmp/full.tor iptables -F "$IPTABLES_CHAINNAME" CMD=$(cat /tmp/full.tor uniq sort) for IP in $CMD; do let COUNT=COUNT+1 iptables -A "$IPTABLES_CHAINNAME" -s $IP -j $IPTABLES_TARGET done esac iptables -A "$IPTABLES_CHAINNAME" -j RETURN echo "--- IP Table rules are now set to block Tor connection attempts" rm /tmp/full.tor ---END---
8 Ryan MacNeille [ ryan.macneille@gmail.com ] TorTrack Code: ---BEGIN CODE PASTE--- #!/bin/bash - Strip Access Log & Find Tor IPs # Ryan MacNeille [flauk.com] - 2012 # # NOTE: You must modify the "CONFIGURATION LINES" below to set your Access log path and search options # Windows Servers require FTP Credentials to be set below # # -To Show possible successful access Remove grep 403 # -To Omit IP Addresses - grep -v 192.168.1.1 # -To Omit IP Ranges - grep -v 192.168.1.* # -To Select Time Frames: # # -Year = Full Year With ":" - grep 2012: # -Month = Three Letter Abbreviation - grep Mar read -p "Track Tor access on a Remote Windows Server? (y/n)" yn case $yn in [Yy]* ) #REMOTE WINDOWS SERVER CONFIGURATION IP_ADDRESS=123.123.123.123 echo Retrieving updated Tor node list from TorProject.org wget -q -O - "https://check.torproject.org/cgi-bin/torbulkexitlist.py?ip=$ip_address&port=*" -U NoSuchBrowse$ tail -n +4 /tmp/full.tor > tor.list # SET YOUR WINDOWS SERVER FTP VARIABLES HERE FTP_HOST=MyServer.com FTP_USER=John.Doe FTP_PASS=password1234 echo -ne"\n" echo "--- Retrieving Access log from Web Server" ftp -inv $FTP_HOST << EOF user $FTP_USER $FTP_PASS get access.log /tmp/access.log bye > /dev/null 2>&1 EOF echo -ne"\n" echo "--- Searching for Tor IP Addresses in the log"
9 Ryan MacNeille [ ryan.macneille@gmail.com ] echo ne \n # EDIT THIS LINE TO CUSTOMIZE OPTIONS FOR WINDOWS - See Header cat /tmp/access.log grep 403 > /tmp/tor.log grep -w -F -f /tmp/tor.list /tmp/tor.log > /tmp/tor_access.log sed -i 's ^#.*$ g' /tmp/tor_access.log rm /tmp/access.log /tmp/tor.list if [[ -s /tmp/tor_access.log ]] ; then cat /tmp/tor_access.log else echo "No connection attempts associated with Tor were found." fi;; [Nn]* ) # LINUX APACHE WEB SERVER CONFIGURATION IP_ADDRESS=123.123.123.123 echo Retrieving updated Tor node list from TorProject.org wget -q -O - "https://check.torproject.org/cgi-bin/torbulkexitlist.py?ip=$ip_address&port=*" -U NoSuchBrowser$ tail -n +4 /tmp/full.tor > /tmp/tor.list echo "Searching for Tor IP Addresses in the log" # CONFIGURATION LINES; EDIT THESE LINES TO CUSTOMIZE SEARCH OPTIONS - See Header ACCESS_LOG=/var/log/apache/httpd/access.log # Path to your access.log file cat $ACCESS_LOG grep 403 > /tmp/tor.log grep -w -F -f /tmp/tor.list /tmp/tor.log > /tmp/tor_access.log sed -i 's ^#.*$ g' /tmp/tor_access.log rm /tmp/tor.list if [[ -s /tmp/tor_access.log ]] ; then cat /tmp/tor_access.log else echo "No connection attempts associated with Tor were found." esac ---END---
10 Ryan MacNeille [ ryan.macneille@gmail.com ] TorTrack Filter Options: Users can customize the access log filter as they desire. These configuration lines are specified in the script comments. To list possible successful access: Remove grep 403 (Ex: cat $ACCESS_LOG grep 403 > /tmp/tor.log) To omit specific IP Addresses from being displayed, use the v Grep option. (Ex: cat $ACCESS_LOG grep 403 grep v 192.168.1.1 > /tmp/tor.log) To omit entire IP Ranges from being displayed, use the v Grep option with a * variable. (Ex: cat $ACCESS_LOG grep 403 grep v 192.168.1.* > /tmp/tor.log) To select a custom output time frame, use Grep with the following syntax: o -Year = Full year followed by a ":" (Ex: cat $ACCESS_LOG grep 2012: grep 403 grep v 192.168.1.* > /tmp/tor.log) o -Month = Three letter abbreviation (Ex: cat $ACCESS_LOG grep Mar grep 403 grep v 192.168.1.* > /tmp/tor.log) Windows Server Scheduled Task Batch Code (Required for running on Windows Servers) Batch file added to Windows server as a Scheduled Task, running daily. Batch file retrieves the Tor list from Linux server and copies access log to FTP directory NOTE: You MUST backup your original.htaccess file and rename it old.htaccess in the same directory PRIOR to running this script. del "C:\apache\.htaccess" copy /B /Y "C:\apache\old.htaccess"+"C:\root-FTP-directory\Tor_List.txt" "C:\apache\htdocs\.htaccess" copy C:\apache\logs\access.log C:\root-FTP-directory\access.log