[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
George Hartley
hartley_george at proton.me
Sun Nov 3 05:29:21 UTC 2024
Hello, here is a 20 minute tcpdump using the PCAP format.
There were only 19 packets inbound on port 22 during said time:
Interestingly, my server was communicating with some other server, making connections TO port 22..
I then looked up said IP in Metrics, and it was just as I assumed another Tor relay:
1 0.000000 104.219.232.126 135.148.149.23 22 TCP 74 37008 → 22 [SYN] Seq=0 Win=32120 Len=0 MSS=1460 SACK_PERM TSval=2099663009 TSecr=0 WS=512
The only portscan over a 20 minute timescan was this fellow:
19 466.667800 167.94.146.24 104.219.232.126 22 TCP 74 36027 → 22 [SYN] Seq=0 Win=42340 Len=0 MSS=1460 SACK_PERM TSval=1728927577 TSecr=0 WS=1024
So no, there is no scanning going on on my machine.
I attached the file if you want to take a look in Wireshark or whatever else parser you use.
P.S: Tor-relays moderators, maybe scrub the attachment as it can be used to track down part of a circuit.
All the best,
-GH
On Saturday, November 2nd, 2024 at 2:47 PM, George Hartley <hartley_george at proton.me> wrote:
> Hello,
>
> I do operate an exit node which rejects exits on port 22.
>
> You should, by default, change your SSH port to a random 5 digit number:
>
> Random.org Random Number Generator
>
> And apply static IPTables rules to block connection spam even if someone portscans your system (make sure to apply this rule to your random port, I just set the port here to 22):
>
> > $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
> > $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --name SSH -j DROP
> > $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
>
> Also, disable password-based authentication entirely, and go for at least RSA4096 or even better ED25519 login rendezvous.
>
>
> I promise to later do a tcpdump on my machine, and see if relays on the public lists are more affected then your average "normal" server.
>
>
> Of course there are always machines, more often infected than not, scanning the IPv4
> ranges for open SSH ports, which possible can be exploited.
>
>
> Please wait for me reply in a few hours friend.
>
>
> -GH
>
>
> On Tuesday, October 29th, 2024 at 4:33 AM, Pierre Bourdon delroth at gmail.com wrote:
>
> > Hi relay ops,
> > By any chance, any other relay ops seeing the same thing, or am I just
> > going crazy? (it does kind of sound insane...)
>
> > Software Engineer @ Zürich, Switzerland
> > https://delroth.net/
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241103/39956982/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: capture.pcap
Type: application/vnd.tcpdump.pcap
Size: 7666 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241103/39956982/attachment-0001.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - hartley_george at proton.me - 0xAEE8E00F.asc
Type: application/pgp-keys
Size: 657 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241103/39956982/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241103/39956982/attachment-0001.sig>
More information about the tor-relays
mailing list