Tor Exit Node Block Scripts

(1)

υ

These utilities are free to use, modify and distribute

The Tor Browser is an Open Source project that allows its users to browse the internet using

highly encrypted connections with anonymous servers around the world in order to hide their identity.

Tor is also a common tool for accessing what is known as the Deep Web; a hidden portion of the

internet containing a vast collection of illegal material including the execution of network attacks by

serious hackers. Due to the complexity of tracking the IP addresses associated with Tor, it is nearly

impossible to find the real source of attacks.

The Tor Project (thetorproject.org) offers a Python script to view a list of IP addresses associated

with the Tor network. Unfortunately, the list of IP addresses changes very frequently for security

purposes. Therefore there has been no specified means to block these connections to keep hackers

from attempting to gain access to network resources anonymously.

TorBlock

(For Windows & Linux) – TorBlock is a Bash script I designed to automatically configure

servers to block Tor traffic to websites on port 80 and keep its list of Tor nodes updated. The code is

available for download here:

http://flauk.com/Tor/TorBlock.sh

The script offers two configuration options;

1.

Configuring IPTABLES on a local Linux server:

a.

Updates the list of Tor nodes and explicitly denies access using Linux IPTABLES

commands. Tor list updates with Cron, at a frequency of the user’s choice.

2.

Configuring a remote Windows Apache Server’s .htaccess file:

a.

Updates the list of Tor nodes from a Linux machine and modifies the syntax for the

Apache .htaccess file

b.

Uses FTP to transfer the list to the Windows web server where an additional script will be

run (See last page)

TorTrack

(For Windows & Linux) – TorTrack is an additional Bash script for tracking access

attempts from Tor exit nodes. The script renews the Tor list and parses through the web server’s access

log to show when and how often a Tor node attempts to access your website. This can also be run for

the remote Windows machine using FTP to transfer the access log. The code is available for download

here:

http://flauk.com/Tor/TorTrack.sh

TorTrack also has additional uses, including a documented process for tracking Tor requests

from any log or error page. Additional instructions are on page 10.

(2)

φ

These utilities are free to use, modify and distribute

TorBlock (Linux) Proof of Concept:

(http://www.flauk.com/Tor/TorBlock.sh)

(3)

χ

(4)

ψ

TorTrack (Linux) Proof of Concept

(http://www.flauk.com/Tor/TorTrack.sh)

(5)

ω

(6)

ϊ

TorBlock Code:

---BEGIN CODE

PASTE---#!/bin/bash

# Blocking Tor Exit nodes on Windows-Apache or Linux Servers # Ryan MacNeille [flauk.com] - 2012

echo -ne "\n"

read -p "Installing for a remote Windows Web Server? (y/n)" yn case $yn in

[Yy]* )

# REMOTE WINDOWS SERVER CONFIGURATION

# SET YOUR WINDOWS SERVER FTP VARIABLES HERE FTP_HOST=MySite.com

FTP_USER=John.Doe FTP_PASS=Password1234

# REPLACE THIS STRING WITH YOUR STATIC IP IF APPLICABLE IP_ADDRESS=123.123.123.123

# Generate Updated Tor-Node List echo -ne "\n"

echo --- Retrieving updated Tor node list from TorProject.org

wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=80" -U NoSuchBrowser/1.0 > /tmp/full.tor

tail -n +4 /tmp/full.tor > /tmp/tor.list echo -ne "\n"

echo "--- Preparing list for .htaccess"

sed -i -e 's/^/Deny from /' /tmp/tor.list > /dev/null 2>&1 sed -i 1i"Order Allow,Deny" /tmp/tor.list > /dev/null 2>&1 echo -e "\r\nAllow from all" >> /tmp/tor.list > /dev/null 2>&1 sed -i 's|^#.*$||g' /tmp/tor.list > /dev/null 2>&1

echo -e "\r\n" | cat - /tmp/tor.list > /dev/null 2>&1

# Retrieve Updated Apache Access Log From Web Server & Send the Tor List echo -ne "\n"

echo --- "Sending information to the Windows Server FTP" echo -ne "\n"

ftp -inv $FTP_HOST << EOF user $FTP_USER $FTP_PASS put /tmp/tor.list Tor_List.txt bye > /dev/null 2>&1

(7)

ϋ

These utilities are free to use, modify and distribute

EOF

echo -ne "\n"

echo --- "Configuration is complete, be sure to configure your Windows Server to complete the Installation Process"

echo -ne "\n";;

[Nn]* )

# LINUX APACHE WEB SERVER CONFIGURATION IPTABLES_TARGET="DROP" IPTABLES_CHAINNAME="TOR" IP_ADDRESS=123.123.123.123 WORKING_DIR="/tmp/”

# If string doesn’t exist, create it.

if ! iptables -L "$IPTABLES_CHAINNAME" -n >/dev/null 2>&1 ; then iptables -N "$IPTABLES_CHAINNAME" >/dev/null 2>&1 fi

cd $WORKING_DIR echo -ne "\n"

echo --- Retrieving updated Tor node list from TorProject.org echo -ne "\n"

wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=80" -U NoSuchBrowser/1.0 > /tmp/full.tor

sed -i 's|^#.*$||g' /tmp/full.tor iptables -F "$IPTABLES_CHAINNAME" CMD=$(cat /tmp/full.tor | uniq | sort) for IP in $CMD; do

let COUNT=COUNT+1

iptables -A "$IPTABLES_CHAINNAME" -s $IP -j $IPTABLES_TARGET done

iptables -A "$IPTABLES_CHAINNAME" -j RETURN

echo "--- IP Table rules are now set to block Tor connection attempts" echo -ne "\n"

rm /tmp/full.tor esac

(8)

ό

These utilities are free to use, modify and distribute

TorTrack Code:

---BEGIN CODE

PASTE---#!/bin/bash - Strip Access Log & Find Tor IPs # Ryan MacNeille [flauk.com] - 2012 #

# NOTE: You must modify the "CONFIGURATION LINES" below to set your Access log path and search options # Windows Servers require FTP Credentials to be set below

#

# -To Show possible successful access – Remove “grep 403” # -To Omit IP Addresses - grep -v 192.168.1.1

# -To Omit IP Ranges - grep -v 192.168.1.* # -To Select Time Frames:

#

# -Year = Full Year With ":" - grep 2012:

# -Month = Three Letter Abbreviation - grep Mar

echo -ne "\n"

read -p "Track Tor access on a Remote Windows Server? (y/n)" yn case $yn in

[Yy]* ) #REMOTE WINDOWS SERVER CONFIGURATION IP_ADDRESS=123.123.123.123

echo -ne "\n"

echo Retrieving updated Tor node list from TorProject.org

wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=*" -U NoSuchBrowse$

tail -n +4 /tmp/full.tor > tor.list

# SET YOUR WINDOWS SERVER FTP VARIABLES HERE FTP_HOST=MyServer.com

FTP_USER=John.Doe FTP_PASS=password1234

echo -ne "\n"

echo "--- Retrieving Access log from Web Server" ftp -inv $FTP_HOST << EOF

user $FTP_USER $FTP_PASS get access.log /tmp/access.log bye > /dev/null 2>&1

EOF

echo -ne "\n"

(9)

ύ

These utilities are free to use, modify and distribute

echo –ne “\n”

# EDIT THIS LINE TO CUSTOMIZE OPTIONS FOR WINDOWS - See Header cat /tmp/access.log | grep 403 > /tmp/tor.log

grep -w -F -f /tmp/tor.list /tmp/tor.log > /tmp/tor_access.log sed -i 's|^#.*$||g' /tmp/tor_access.log rm /tmp/access.log /tmp/tor.list echo -ne "\n" if [[ -s /tmp/tor_access.log ]] ; then cat /tmp/tor_access.log echo -ne "\n" else

echo "No connection attempts associated with Tor were found." echo -ne "\n"

fi;;

[Nn]* ) # LINUX APACHE WEB SERVER CONFIGURATION IP_ADDRESS=123.123.123.123

echo -ne "\n"

echo Retrieving updated Tor node list from TorProject.org

wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=*" -U NoSuchBrowser$

tail -n +4 /tmp/full.tor > /tmp/tor.list echo -ne "\n"

echo "Searching for Tor IP Addresses in the log"

# CONFIGURATION LINES; EDIT THESE LINES TO CUSTOMIZE SEARCH OPTIONS - See Header

ACCESS_LOG=/var/log/apache/httpd/access.log # Path to your access.log file cat $ACCESS_LOG | grep 403 > /tmp/tor.log

grep -w -F -f /tmp/tor.list /tmp/tor.log > /tmp/tor_access.log sed -i 's|^#.*$||g' /tmp/tor_access.log rm /tmp/tor.list echo -ne "\n" if [[ -s /tmp/tor_access.log ]] ; then cat /tmp/tor_access.log echo -ne "\n" else

echo "No connection attempts associated with Tor were found." echo -ne "\n"

esac

(10)

υτ

These utilities are free to use, modify and distribute

TorTrack Filter Options:

Users can customize the access log filter as they desire. These configuration lines are specified in the

script comments.

To list possible successful access: Remove “grep 403”

(Ex: cat $ACCESS_LOG | grep 403 > /tmp/tor.log)

To omit specific IP Addresses from being displayed, use the –v Grep option.

(Ex: cat $ACCESS_LOG | grep 403 | grep –v 192.168.1.1 > /tmp/tor.log) To omit entire IP Ranges from being displayed, use the –v Grep option with a * variable.

(Ex: cat $ACCESS_LOG | grep 403 | grep –v 192.168.1.* > /tmp/tor.log) To select a custom output time frame, use Grep with the following syntax:

o -Year = Full year followed by a ":"

(Ex: cat $ACCESS_LOG | grep 2012: | grep 403 | grep –v 192.168.1.* > /tmp/tor.log) o -Month = Three letter abbreviation

(Ex: cat $ACCESS_LOG | grep Mar | grep 403 | grep –v 192.168.1.* > /tmp/tor.log)

Windows Server Scheduled Task Batch Code (Required for running on Windows Servers)

Batch file added to Windows server as a Scheduled Task, running daily.

Batch file retrieves the Tor list from Linux server and copies access log to FTP directory

NOTE: You MUST backup your original .htaccess file and rename it old.htaccess in the same directory

PRIOR to running this script.

del "C:\apache\.htaccess"

copy /B /Y "C:\apache\old.htaccess"+"C:\root-FTP-directory\Tor_List.txt" "C:\apache\htdocs\.htaccess"

copy C:\apache\logs\access.log C:\root-FTP-directory\access.log