How to exclude specific relay servers

TiZ · November 28, 2023, 7:07pm

Hi there!

I’m not entirely sure this is the right channel to ask, or if this is the right question to ask. Today, my devices got flagged for suspicious activity at my university because they were making contact with Tor exit nodes.

I was initially very worried about this! “Oh crap, is something running on my computer and using Tor without my consent?” But it was actually both devices I had connected to the network: my personal laptop with KDE Neon, and my work computer with Windows. So the common denominator between them would have to jump out big time, and it did: they both run Syncthing.

My contact on the network team sent over the suspicious IP addresses, and I found them all on Syncthing’s public relay list. And they were all run by the same person, as well.

So I know that all of the relay servers run by this person are also Tor exit nodes, and they will get flagged by my university’s network security team. I’m sure my own usecase will survive relays getting turned off entirely, but I think I would rather just exclude those relays. Is that possible to do?

calmh · November 28, 2023, 7:08pm

No, unfortunately not. You can disable relaying, or you can manually set the address for a specific relay, but if you use the public pool you’ll get a random relay.

TiZ · November 28, 2023, 7:15pm

Okie doke. Relays off, it is. Thank you!

Do you think it is a point of concern for anyone contributing relay servers to also be running Tor exit nodes on the same hosts? I don’t really want to assign any kind of ideological judgment value to it, because there are good reasons to use Tor just as much as there are bad reasons.

But it could be be considered bad networking practice to mix them together, and it could impact others’ usage of it as well, especially if any network security teams are extra-suspicious of any contact with Tor exit nodes at all. Is there a specific place I should report this if you want to know about it?

calmh · November 28, 2023, 7:20pm

I don’t think it’s something we as a project have an opinion on, really.

acolomb · November 28, 2023, 7:29pm

My personal opinion is that anything judging services by the IP address of the target host is bad practice and should be stopped. But it is still very much common practice.

dajhorn · December 12, 2023, 5:22pm

You can prevent access to Syncthing relays that are Tor exit nodes by using firewall rules.

With Linux Netfilter:

#!/bin/sh

ipset create tor iphash

curl --silent --show-error --location "https://check.torproject.org/cgi-bin/TorBulkExitList.py" | sed -e '/^#/d' | while read IP
do
  ipset -q -A tor $IP
done

iptables -A INPUT -m set --match-set tor src -j DROP

Or in Windows PowerShell:

# BlockTorExitNodes.ps1
$TorBulkExitUri = "https://check.torproject.org/cgi-bin/TorBulkExitList.py"
$TorBulkExitList = Invoke-WebRequest -Uri $TorBulkExitUri | Select-Object -ExpandProperty Content
$TorBulkExitIPs = [System.Text.Encoding]::UTF8.GetString($TorBulkExitList) -split "`n"

foreach ($IP in $TorBulkExitIPs) {
	New-NetFirewallRule -DisplayName "Block Tor Exit Node $IP" -Direction Outbound -LocalPort Any -Protocol Any -Action Block -RemoteAddress $IP
}

Season to taste and automate the job using Cron or Task Scheduler.

system · January 11, 2024, 5:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.