How to block all of TOR IP addresses

[Speedy059]

Is there a quick way to add all of the IP's for the TOR exit nodes? There are several databases online (text databases) of all of the TOR exit nodes. I would like to block all of these IP addresses from using my site since they are very malicious users.

I know in cpanel you can you "IP Blocker" and add 1 IP at a time, this would take an extremely long time. Is there a way to add 1000's of IP's?

 

[cPanelLauren]

You can add multiple IP's by adding a range, implied range or CIDR format entry as detailed in the UI:



Single IP Address
192.168.0.1
2001:db8::1
Range
192.168.0.1-192.168.0.40
2001:db8::1-2001:db8::3
Implied Range
192.168.0.1-40
CIDR Format
192.168.0.1/32
2001:db8::/32
Implies
192.*.*.*
192.

 

[vacancy]

https://github.com/SecOps-Institute/Tor-IP-Addresses/blob/master/tor-nodes.lst

You can prevent tor browser access by adding it to csf.deny. But you should check and update the list once a week, these ip addresses change.

 

[ScottyBoy]

The best way to stop them is with a firewall before it reaches the server. If possible, I would suggest blocking them at the edge. If that is not possible, you are going to keep and updated list from:

https://www.dan.me.uk/tornodes

using cPanelLauren's post, I would suggest blocking single IPs as most of them are not on the same subnets so doing a 192.168.0.1/24 which would block all 192.168.0.1-192.168.0.255 and many of them are most likely not ToR nodes

as well a little addendum to her post:
CIDR Format
192.168.0.1/24
2001:db8::/24
Implies
192.168.0.*
192.168.0.

(the CIDR Format she posted would only block 1 IP: 192.168.0.1 as it was a /32)

 

[cPanelLauren]

I actually just used the example in the UI in my post - the CIDR format there is indeed only referencing one IP

 

[PlotHost]

Take a look at /etc/csf/csf.blocklists
There is already code for TOR exit nodes

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
#TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

Anyway, you can add your own list to csf.blocklists

 

[Speedy059]

Take a look at /etc/csf/csf.blocklists
There is already code for TOR exit nodes

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
#TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

Anyway, you can add your own list to csf.blocklists

Thank you for the suggestion. I checked the server and it didn't have CSF installed yet. Just so anyone else needs to do this:

I just followed the instructions here: Additional Security Software | cPanel & WHM Documentation . Once the CSF plugin is installed, it's easy to copy and paste thousands of IP's.

 

[rscalover]

Hello,

Configserver.com csf can block tor in /etc/csf/csf.blocklists uncomment the line that is already there and in /etc/csf/csf.conf make sure URLGET is set to use LWP restart the firewall and look at lfd.log.

 

[Speedy059]

Hello,

Configserver.com csf can block tor in /etc/csf/csf.blocklists uncomment the line that is already there and in /etc/csf/csf.conf make sure URLGET is set to use LWP restart the firewall and look at lfd.log.

Thanks, saw that after my post.

 

[jagonoja]

I enabled the TOR blocklist. Then I realized: what

Take a look at /etc/csf/csf.blocklists
There is already code for TOR exit nodes

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
#TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

Anyway, you can add your own list to csf.blocklists

I enabled the TOR blocklist. But then I thought: what if one day I am trying to reach my server under a heavy surveillance firewall behind enemy lines, and the only way to do this is through TOR, because all VPNs have been blocked or infiltrated? Elon Musk will not be answering my calls...