IRC Ban on Tor exit nodes

[silivrenion]

I run as an exit node for the Tor network, because I support anonymous internet practices, and the freedom of the people behind the Great Firewall of China and other restrictive locations. However, I woke up this morning to find my IRC log gives a gloomy message ::

* Connect retry #1 208.98.24.4 (6667)

-

-vertex.hak5.org- *** Looking up your hostname...

-

-vertex.hak5.org- *** Found your hostname (cached)

-

-vertex.hak5.org- *** Checking ident...

-

-vertex.hak5.org- *** No ident response; username prefixed with ~

-

-vertex.hak5.org- *** If you are having problems connecting due to ping timeouts, please type /quote pong AAA82881 or /raw pong AAA82881 now.

-

-vertex.hak5.org- *** You are banned from Hak5IRC (Your IP, 24.147.xxx.xx, is in our TOR Server List.. http://www.sectoor.de/tor.php?ip=24.147.xxx.xx)

-

Closing Link: Silivrenion[c-24-147-xxx-xx.hsd1.ma.comcast.net] (User has been banned from Hak5IRC (Your IP, 24.147.xxx.xx, is in our TOR Server List.. http://www.sectoor.de/tor.php?ip=24.147.xxx.xx))

-

* Disconnected

As a supporter of anonymous internet, and despite the fact that I promised owine I would not connect through the Tor network to irc.hak5.org, I was banned simply because of a service I run on my network.

Understandably, all services are susceptible to attack, and some server admins can ban those services at least temporarily until the attacks subside, but blocking all nodes hampers the reach of the entire Tor internet project. With internet neutrality rights being questioned today, Tor may be a white flag of hope in the distance for many people.

I don't mean to sound like a politician or anything, I just want to be able to support the projects I believe in, while being able to connect to hak5 IRC.

Freenode resolved a lot of these issues by implementing a whitelist of Tor users which are known to be 1. credible and trustworthy, 2. representative of the online Tor population, 3. under control of their exit node's traffic and bandwidth policies. Maybe this is a solution applicable here?

Authentication wise, I am not interested in anonymity myself to the Hak5 network. I only care about the anonymity of others, so I contribute my bandwidth. Is this a reason to ban me, when I carefully maintain my bandwidth and flood controls and try my best to provide a suitable service for everyone? If there's any authentication that can be done to verify my actual identity on the server, I'd do it. Heck, I'd call the phone or write snail mail if it meant the ability to talk on Hak5.

Owine mentioned on the IRC of an SSL connection to the IRC, but I wasn't able to make a connection to it. Is this my hope for connection?

Please allow me to support my projects which I believe in while being able to communicate on my favorite channel. Please whitelist my IP and other trusted Tor exit nodes, or remove the sectoor DNSBL ban, or provide a way for people who serve as exit nodes, but aren't connected through the Tor network to be able to use irc.hak5.org. I've been a fan of Hak5 up to this point, please don't give me a reason to change that now.

[cooper]

I think the trick is to either become friends with an IRC server admin, who can set things up so that you're granted access regardless. Another way out is to not allow Tor to grant outbound connections for IRC server ports (6660-6669).

I had the same thing before and figued it was too much of a hassle so I just removed Tor from the system altogether. It was too slow to be useful anyways.

[PoyBoy]

there should be some subscription tor severs (like 1 dollar a month for 15)

That would speed things up

[silivrenion]

Where would the money go? Supporting EFF and Tor, or somewhere else? Monopolizing on an open source product seems wrong on so many levels... -.-

[blizz]

There are commercials darknets (e.g. relakks) around.

Tor should remain free, they should just ban any p2p traffic *grrr*

[silivrenion]

I personally use the default exit policies on my exit node, but if there's abuse I hear about on freenode #tor, I remove those ports.

[blizz]

What are the default policies like? Sorry, I'm not really into tor yet..

[silivrenion]

tor.eff.org ::

How do Tor exit policies work?

Each Tor server has an exit policy that specifies what sort of outbound connections are allowed or refused from that server. The exit policies are propagated to the client via the directory, so clients will automatically avoid picking exit nodes that would refuse to exit to their intended destination.

This way each server can decide the services, hosts, and networks he wants to allow connections to, based on abuse potential and his own situation.

wiki.noreply.org ::

By default, your server allows access to many popular services, but restricts some (such as port 25) due to abuse potential. You can edit your torrc to make your exit policy more or less restrictive. If you want to avoid most if not all abuse potential, set it to "reject *:*". This is called being a "middleman" node.

http://wiki.noreply.org/noreply/TheOnionRo...AQ#DefaultPorts ::

4.15. Is there a list of default exit ports?

The default open ports are listed below but keep in mind that, any port or ports can be opened by the server operator by configuring it in torrc or modifying the source code. But the default according to tor.1.in from the source code release tor-0.1.0.8-rc is:

reject 0.0.0.0/8

//Reject non-routable IP's requests

reject 169.254.0.0/16

//Reject non-routable IP's requests

reject 127.0.0.0/8

//Reject non-routable IP's requests

reject 192.168.0.0/16

//Reject non-routable IP's requests

reject 10.0.0.0/8

//Reject non-routable IP's requests

reject 172.16.0.0/12

//Reject non-routable IP's requests

reject *:25

//Reject SMTP for anti-spam purposes

reject *:119

//Reject NNTP (News Network Transfer Protocol)

reject *:135-139

//Reject NetBIOS (File sharing for older versions of windows)

reject *:445

//Reject Microsoft-DS (a.k.a NetBIOS for newer NT versions)

reject *:1214

//Reject Kazaa

reject *:4661-4666

//Reject eDonkey network

reject *:6346-6429

//Reject Gnutella networks

reject *:6699

//Reject Napster

reject *:6881-6999

//Reject (Dark Star) deltasource & Bittorent network

accept *:*"

//Accept the rest of 65535 possible ports

Thanks to [WWW] http://www.seifried.org for port references.

[tx]

Not wanting to cause argument here, And im sure there are plenty of reasons why it is like this...

But should a IPTV show, based partially around hacking, and that even does segments on tor and its uses, block tor access to its IRC?

I can see in an IRC like this, the ability to connect and talk to the people in there annonymously would be a great advantage to some people.

Comments?

[PoyBoy]

thats the thing, the money goes to bandwidth

[silivrenion]

yeah, its slightly strange that we're introduced to tor in Hak5 Episode 10, yet IRC has it banned. :S

[cooper]

It's a standard thing in IRC server software that your machine is scanned for proxies. Aside from the admin's personal wishes, I think this is the type of setting that you have to explicitly deactivate since in most circumstances you want to keep this stuff enabled.

Plus, like I said, if your Tor exit node blocks the IRC portrange things are cool as far as IRC is concerned. And I can't recall Hak.5 coming out saying 'Use Tor to IRC anonymously'. 'Surf' perhaps, but not 'chat'.

[moonlit]

And I can't recall Hak.5 coming out saying 'Use Tor to IRC anonymously'. 'Surf' perhaps, but not 'chat'.

This is what I was saying in IRC when we discussed this; just because Hak5 says that TOR is cool that doesn't mean they have to allow users to connect to IRC via it... They also said Metasploit is cool but that doesn't mean they should leave the gate open for you got go right in and start remote-accessing all their boxes...

[Technologique]

They also said Metasploit is cool but that doesn't mean they should leave the gate open for you got go right in and start remote-accessing all their boxes...

Dude, when did they say it was cool? All I can recall is a lot of "Script Kiddie" being hurled around at the mere mention of Metasploit, and Nmap... but then again, I have been ver' ver' drunk between then and now..

[moonlit]

Dude, when did they say it was cool? All I can recall is a lot of "Script Kiddie" being hurled around at the mere mention of Metasploit, and Nmap... but then again, I have been ver' ver' drunk between then and now..

'Tis true but they've said it's very useful and to be honest, it might get used by skiddies but if you know why you're using it, what it does, how it does it and you're not using it for any reason that's either pointless, illegal or 'just to piss off my ex-gf's boyfriend' then it's cool/not skiddie.

:)

[anyedie]

i like secret interweb

[Darren Kitchen]

yeah, its slightly strange that we're introduced to tor in Hak5 Episode 10, yet IRC has it banned. :S

First off I need to apologize for the late response on this matter. I just got back from our trip to Canada and hadn't been keeping up with the forums.

I was not aware that Vertex-Hosting had started blocking Tor. I will have to speak to the administrator of that network and see what we can do about resolving this issue.

Personally I think Tor, and metasploit for that matter, are great tools when used responsibly.

In the meantime, please try connecting to our alternate server at 66.252.7.115. It's a node on the same network. They're all round robbined. And I believe even the irc.techphile.ca network has merged with ours but I haven't verified that. I've been so busy with production that I haven't had time to administrate the ever growing Hak5 network so I've had to delegate some of those responsabilities.

Again, I apologize for the late response and hope that you are able to reconnect to the IRC network soon.

If you have any other problems please feel free to email me directly.

Thanks,

Darren

[Joerg]

It seems that Tor servers are still blocked

ERROR : Closing link (xxxxx@ERR.CYLAB.CMU.EDU) [G-Lined: Your IP, xxx.xxx.xxx.xxx, is in our TOR Server List]

[VaKo]

It seems that Tor servers are still blocked

ERROR : Closing link (xxxxx@ERR.CYLAB.CMU.EDU) [G-Lined: Your IP, xxx.xxx.xxx.xxx, is in our TOR Server List]

IRC problems now go in http://forums.hak5.org/index.php/board,24.0.html