Guides on system administration, 3D printing and other technology related projects.

Block Tor Users from Viewing Your Site

Block Tor Users from Viewing Your Site

Depending on what type of content you’re hosting, you might have the need to block Tor users from viewing your website.

The Tor Project provides a list of Tor exit nodes via the Tor Bulk Exit List exporting tool.

With this list, we can utilize ipset to block out all of the Tor exit nodes from accessing your server. Anyone using Tor will no longer be able to access your website.

Step #1:

If you don’t already have ipset then install it now.

apt-get install ipset

Step #2:

Create a new set.

ipset create tor-nodes hash:ip

Step #3:

Create a bash script to download the list of Tor exit node IP addresses.

nano block-tor.sh

Paste the script into block-tor.sh and modify the path for <path to script>

#!/bin/bash

#
# A bash script to download the latest list of Tor exit node IP addresses
# and add them to an IP set for the purpose of blocking them
# 
# Author: Eric Mathison - https://ericmathison.com
#

# Download the Tor exit node IP address list
http_code=$(curl -s -o /home/unum/scripts/data/block-tor-ips.txt -w '%{http_code}'  https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$(curl ipecho.net/plain);)

# Exit script if unable to download list of IPs
if [ ! "$http_code" -eq "200" ]; then
 echo Failed to connect to https://check.torproject.org/
 exit 1
fi

# Flush tor-nodes set
ipset flush tor-nodes

# Add IP addresses to set
while read -r ip; do
 case "$ip" in \#*) continue ;; esac
 ipset -q -A tor-nodes $ip
done < "/<path to script>/block-tor-ips.txt"

# Save set to file
ipset save > /<path to script>/block-tor.restore

Make the script executable.

chmod +x block-tor.sh

Step #5:

Restore the Tor block list after system reboots by adding the following to /etc/rc.local

ipset restore < /<path to script>/block-tor.restore
iptables -I INPUT -m set --match-set tor-nodes src -j DROP

Step #6:

Create a cron job and schedule the script to run automatically every night at 5:00 AM. This will fetch the latest list of Tor exit nodes and add them to the block list.

nano /etc/cron.d/block-tor

Add the following to it:

0 5 * * * root /<path to script>/block-tor.sh > /dev/null 2>&1

Step #7:

Run the script for the first time:

sh /<path to script>/block-tor.sh

Add the set to iptables:

iptables -I INPUT -m set --match-set tor-nodes src -j DROP

Now test it out by opening Tor and navigating to your website.

If everything is working properly, you should now be blocked from visiting it.

tor-website-blocked

Troubleshooting

View the IP addresses in the tor-nodes IP set:

ipset list tor-nodes

iptables-drop-tor-exit-nodes-ipset-list

Check to see if there’s a DROP rule in iptables for the Tor nodes:

iptables -L

You should see a drop rule for tor-nodes as pictured here:

iptables-drop-tor-exit-nodes


Tags: #tor

© Eric Mathison 2017-2020.