Block TOR connections with Proxmox Firewall

Block TOR connections with Proxmox Firewall

Before you form an angry mob, hear me out. I understand TOR is an invaluable tool for anonymity online. If I were running a server that supported more than close friends and family, I would definitely weight out the cons of stopping TOR connections from coming into my network. But I don’t. I run a home server that, like most of us “Self-Hosters” are bombarded with the average script kiddie tempting to scan this, and brute force that. I don’t have a fancy firewall yet, and that’s why I looked to Block TOR connections via Proxmox Firewall.

We can’t Block Them All

Although the tor project keeps a nice up-to-date list of public tor exit nodes, there are many that are private or go unlisted. The github repository over at SecOps-Institute provides a decent list of exit nodes that seem to contain more than that of the official one provided by the TOR project. That’s why I will be using their list for the project we are about to discuss.

The Proxmox Firewall

While I don’t have the luxury of a dedicated firewall yet, I do have the software firewall within Proxmox. It also contains a file over at “/etc/pve/firewall/cluster.fw” that we can use to add Blacklists of IPs. But to use this, we must first enable the host Firewall within Proxmox. This is typically located Within Datacenter ->Firewall -> Options.

Image of Proxmox Firewall Settings
Image of Proxmox Firewall Settings

You will also need to enable the firewall on any VM/container you would like affected by the blocklist.

Introducing ProxBlocks

I typed up a quick python script to handle the task of updating cluster.fw with up to date TOR exit node addresses. Yo can find the project here: https://github.com/modernham/ProxBlocks. This short python script will read your current Firewall Configuration, and append the TOR IP list to the “Blacklist” Section.

I’ve set this up to run every 12 hours creating a host wide block on any TOR address attempting to access my network in any way.

You can follow the directions below to Deploy/Install the Script (Ran from Proxmox SSH)

apt-get install python3
apt-get install wget
mkdir /root/ProxBlocks
cd /root/ProxBlocks
wget https://raw.githubusercontent.com/modernham/ProxBlocks/main/proxblocks.py

To run this script automatically, I’ve setup a cron task that will run every 12 hours. You can see my example below:

#Open Cron
crontab -e
#Paste In
0 */12 * * * /usr/bin/python3 /root/ProxBlocks/proxblocks.py >> ~/cron.log 2>&1

Hopefully you found this useful, and are now Blocking TOR connections with the Proxmox Firewall. If you’re self hosting, and running a blog like I am, check out https://takethebait.net/stop-compromising-your-home-server-security-by-oversharing/.

Leave a Reply

Your email address will not be published. Required fields are marked *