Programmatically block TOR networks easily

There are many reasons to block TOR networks.

  • Unchecked anonymity of your staff to surf without accountability
  • Hackers and the dregs of the Internet like to use it as a platform to do criminal acts online and potentially attack you anonymously
  • It’s a potential vector for information leakage

…and more.

I primarily block TOR on corporate networks unless there’s a corporate purpose like the Marketing department needing to spy on their competition without their competition knowing who’s doing the spying.  Otherwise you SHOULD block TOR, VPN and other anonymizers.

One way to accomplish this task is to programmatically download the list of TOR gateways and block them.  Lucky for our clients we do this by default, block first and ask questions later!

We download our block list from the torproject itself.  They publish a list of “Tor Exit Nodes” or routers where TOR browsers can come at you from.  This is a simple list of IP’s like this:

# This is a list of all Tor exit nodes from the past 16 hours that can contact 1.2.3.4 on port 80 #
# You can update this list by visiting https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4 #
# This file was generated on Mon May 29 13:04:18 UTC 2017 #
103.234.220.197
103.236.201.110
103.250.73.6

We started doing this when we detected people coming at some of our infrastructure from these nodes which led us to further investigate eventually leading us to discover the exit node list.  We then leverage this as one of our block lists that download on a schedule, our firewalls then download the list automagically on regular intervals.

Although we don’t want to give too much away our “get” command uses a program called “curl”.  I say “curl” but some people say “see url” and I don’t have a preference…potato-potahto.

#!/bin/sh
# Get the latest tor list
curl -s -z -O https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4 > /var/ftp/protect/torblock.txt

We can then parse the torblock.txt file and slice and dice it, the only thing we really have to take out are the first 3 lines of comments 😉  The rest you can programmatically add to your block list on a server or firewall.  We add ours on Linux servers with a:

do firewall-cmd –ipset=tor –add-entry=$variable

This adds it to a CentOS server’s firewall using FirewallD (firewall-cmd to control FirewallD) into an ipset called “tor”.  Tor is certainly the most popular anonymizers and thus one of the most potentially dangerous to your network.  There are many including simple VPN’s but this is a nice piece to the security puzzle, you can set it and forget it.

Lastly, one of the MOST IMPORTANT things about managing CLI equipment (switches, servers, access points, etc) is to save your running configuration which is typically temporary into your startup config or permanent configuration!  On CentOS you can do that if you’re using FirewallD like this:

firewall-cmd –runtime-to-permanent

If you’re having security problems we can help!
800-864-9497

Comments or questions are welcome.

* indicates required field

Leave a Reply

Your email address will not be published. Required fields are marked *