Opened 5 years ago

Last modified 3 years ago

#17451 new enhancement

Tor controller [ControlPort] - bruteforce defence measures & detailed logging when listening non-locally

Reported by: programings Owned by:
Priority: Very Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords: lorax tor-control defense-in-depth dont-do-that-then
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Sometimes, as a relay operator, you should open your ControlPort to the world, because of various reasons - SSH is not always an option, you have application that implements Tor control protocol and it should control your OR remotely, etc.

When this happens, current controller implementation doesn't have any mechanism to prevent bruteforcing of the HashedControlPassword or the authentication cookie, and also the hypothetic attacker will remain compleatly anonymous (in general case, possible solution is to have another service monitoring the sockets and log the remote IP), because Tor doesn't log any data about him or her, like IP address, for example. Because of this behaviour, you also can't use software like fail2ban to ban the attackers based on the logged failed attempts.

Given all this, even with a strong enough passphrase, it becomes easy to break through the authentication and do a lot of bad things.

Tor should have a configuration directive to specify a limit of the number of allowed attempts when ControlPort socket is non-local. When the threshold is reached, Tor should block future attempts from this IP for a certain period of time.

The detailed logging will allow use of another software to take care in depth.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by programings

Summary: Tor controller [ControlPort] - bruteforce defence measures & detailed loggingTor controller [ControlPort] - bruteforce defence measures & detailed logging when listening non-locally

comment:2 Changed 5 years ago by yawning

Keywords: lorax added
Milestone: Tor: unspecified
Priority: MediumVery Low

This is the least of the things that makes it an utterly terrible idea to expose the control port to anything that vaguely resembles the public internet. If someone writes a clean patch for it, I wouldn't be massively against having a config option, because defense in depth is nifty, but even after the patch, a remotely accessible control port would still be a terrible idea.

Triaging as appropriate.

comment:3 Changed 3 years ago by nickm

Keywords: tor-control defense-in-depth dont-do-that-then added
Note: See TracTickets for help on using tickets.