Block Tor Users from Viewing Your Site
Depending on what type of content you’re hosting, you might have the need to block Tor users from viewing your website.
The Tor Project provides a list of Tor exit nodes via the Tor Bulk Exit List exporting tool.
With this list, we can utilize ipset to block out all of the Tor exit nodes from accessing your server. Anyone using Tor will no longer be able to access your website.
Step #1:
If you don’t already have ipset then install it now.
apt-get install ipset
Step #2:
Create a new set.
ipset create tor-nodes hash:ip
Step #3:
Create a bash script to download the list of Tor exit node IP addresses.
nano block-tor.sh
Paste the script into block-tor.sh and modify the path for <path to script>
#!/bin/bash
#
# A bash script to download the latest list of Tor exit node IP addresses
# and add them to an IP set for the purpose of blocking them
#
# Author: Eric Mathison - https://ericmathison.com
#
# Download the Tor exit node IP address list
http_code=$(curl -s -o /home/unum/scripts/data/block-tor-ips.txt -w '%{http_code}' https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$(curl ipecho.net/plain);)
# Exit script if unable to download list of IPs
if [ ! "$http_code" -eq "200" ]; then
echo Failed to connect to https://check.torproject.org/
exit 1
fi
# Flush tor-nodes set
ipset flush tor-nodes
# Add IP addresses to set
while read -r ip; do
case "$ip" in \#*) continue ;; esac
ipset -q -A tor-nodes $ip
done < "/<path to script>/block-tor-ips.txt"
# Save set to file
ipset save > /<path to script>/block-tor.restore
Make the script executable.
chmod +x block-tor.sh
Step #5:
Restore the Tor block list after system reboots by adding the following to /etc/rc.local
ipset restore < /<path to script>/block-tor.restore
iptables -I INPUT -m set --match-set tor-nodes src -j DROP
Step #6:
Create a cron job and schedule the script to run automatically every night at 5:00 AM. This will fetch the latest list of Tor exit nodes and add them to the block list.
nano /etc/cron.d/block-tor
Add the following to it:
0 5 * * * root /<path to script>/block-tor.sh > /dev/null 2>&1
Step #7:
Run the script for the first time:
sh /<path to script>/block-tor.sh
Add the set to iptables:
iptables -I INPUT -m set --match-set tor-nodes src -j DROP
Now test it out by opening Tor and navigating to your website.
If everything is working properly, you should now be blocked from visiting it.
Troubleshooting
View the IP addresses in the tor-nodes IP set:
ipset list tor-nodes
Check to see if there’s a DROP rule in iptables for the Tor nodes:
iptables -L
You should see a drop rule for tor-nodes as pictured here: