Block TOR connections with Proxmox Firewall
Before you form an angry mob, hear me out. I understand TOR is an invaluable tool for anonymity online. If I were running a server that supported more than close friends and family, I would definitely weight out the cons of stopping TOR connections from coming into my network. But I don’t. I run a home server that, like most of us “Self-Hosters” are bombarded with the average script kiddie tempting to scan this, and brute force that. I don’t have a fancy firewall yet, and that’s why I looked to Block TOR connections via Proxmox Firewall.
We can’t Block Them All
Although the tor project keeps a nice up-to-date list of public tor exit nodes, there are many that are private or go unlisted. The github repository over at SecOps-Institute provides a decent list of exit nodes that seem to contain more than that of the official one provided by the TOR project. That’s why I will be using their list for the project we are about to discuss.
The Proxmox Firewall
While I don’t have the luxury of a dedicated firewall yet, I do have the software firewall within Proxmox. It also contains a file over at “/etc/pve/firewall/cluster.fw” that we can use to add Blacklists of IPs. But to use this, we must first enable the host Firewall within Proxmox. This is typically located Within Datacenter ->Firewall -> Options.
You will also need to enable the firewall on any VM/container you would like affected by the blocklist.
I typed up a quick python script to handle the task of updating cluster.fw with up to date TOR exit node addresses. Yo can find the project here: https://github.com/modernham/ProxBlocks. This short python script will read your current Firewall Configuration, and append the TOR IP list to the “Blacklist” Section.
I’ve set this up to run every 12 hours creating a host wide block on any TOR address attempting to access my network in any way.
You can follow the directions below to Deploy/Install the Script (Ran from Proxmox SSH)
apt-get install python3
apt-get install wget
To run this script automatically, I’ve setup a cron task that will run every 12 hours. You can see my example below:
0 */12 * * * /usr/bin/python3 /root/ProxBlocks/proxblocks.py >> ~/cron.log 2>&1
Hopefully you found this useful, and are now Blocking TOR connections with the Proxmox Firewall. If you’re self hosting, and running a blog like I am, check out https://takethebait.net/stop-compromising-your-home-server-security-by-oversharing/.