Today we saw traffic going from CentOS servers to a Tor exit node. This caused some raised eyebrows and led us to investigate what was going on.
In the end it turned out that this exit node also acts as a CentOS repository mirror and yum decided that is was our fastest mirror.
Now that we know it should cause no harm, I wonder if others also noticed this type of behaviour.
How should we treat this mirror? Should we blacklist all known Tor exit nodes?
Assuming the connection was legitimate (originated from Yum/Dnf over the expected protocol and port) there is no problems - even if the repo started serving malicious packages they won't be installed as the package manager checks signatures locally.
Just make sure the connection is actually legitimate and that your Yum/Dnf binary isn't compromised - it looks like a pretty good hiding strategy to put the malware in the package manager and have the server act as a package repo to trick unsuspecting admins into thinking it's just the package manager doing its legitimate thing while in fact it's talking to its C&C server.
How should we treat this mirror? Should we blacklist all known TOR exit nodes?
That depends on your threat model.
Not all traffic involving a Tor node is malicious. The nature of DNS/IP is that things change and get reassigned, or are associated with shared platforms, so an overzealous blacklist that you don't continually monitor and purge may have unintended consequences.
Same as with blocking an entire country's IP range, it's up to your organization to determine whether or not this is acceptable.
As long as the tor binary isn't vulnerable, there is no problem in it. Tor users can access the mirror files (and probably that's why they set up the node on the mirror / the mirror on the node), but cannot modify them. At least not easier than any other user, who can reach the mirror.
And it should be not threat for you at all even when something would be modified, as the packages are signed by a key which does not belong to the mirror but to the package maintainers.
