Tor controller [ControlPort] - bruteforce defence measures & detailed logging when listening non-locally
Sometimes, as a relay operator, you should open your ControlPort to the world, because of various reasons - SSH is not always an option, you have application that implements Tor control protocol and it should control your OR remotely, etc.
When this happens, current controller implementation doesn't have any mechanism to prevent bruteforcing of the HashedControlPassword or the authentication cookie, and also the hypothetic attacker will remain compleatly anonymous (in general case, possible solution is to have another service monitoring the sockets and log the remote IP), because Tor doesn't log any data about him or her, like IP address, for example. Because of this behaviour, you also can't use software like fail2ban to ban the attackers based on the logged failed attempts.
Given all this, even with a strong enough passphrase, it becomes easy to break through the authentication and do a lot of bad things.
Tor should have a configuration directive to specify a limit of the number of allowed attempts when ControlPort socket is non-local. When the threshold is reached, Tor should block future attempts from this IP for a certain period of time.
The detailed logging will allow use of another software to take care in depth.
Trac:
Username: programings