[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
Red Oaive
clearly at ivegotyour.pw
Tue Oct 29 17:55:06 UTC 2024
On 2024-10-29 06:04, Toralf Förster via tor-relays wrote:
> On 10/29/24 04:33, Pierre Bourdon wrote:
>> Some tcpdumps showing random RSTs coming back to my machines running
>> relays (with no traffic being initiated by said machines beforehand):
>
> You used somethign like this? :
>
> tcpdump -i enp8s0 'tcp[13] & 4 != 0 && port 22'
You want source port of 22.
For RSTs:
tcpdump -i enp8s0 'tcp[13] & 4 != 0 and src port 22'
For SYN-ACKs:
tcpdump -i eth0 'tcp[13] & 18 != 0 and src port 22'
I tend to use nft counters for stuff like this:
If you don't have a good nft accounting chains set up yet:
nft create table ip accounting
nft create chain ip accounting input { type filter hook input priority
filter \; policy accept \; }
nft create chain ip accounting output { type filter hook output priority
filter \; policy accept \; }
And the the counter rule:
nft add rule ip accounting input tcp sport 22 tcp flags == syn\|ack
counter
You can add them for other source ports too - might be useful to expand
our scope to some other commonly abused ports like 25.
To check your counts:
nft list table ip accounting
More information about the tor-relays
mailing list