[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?



Hello, here is a 20 minute tcpdump using the PCAP format.

There were only 19 packets inbound on port 22 during said time:

Interestingly, my server was communicating with some other server, making connections TO port 22.. 

I then looked up said IP in Metrics, and it was just as I assumed another Tor relay:

1 0.000000 104.219.232.126 135.148.149.23 22 TCP 74 37008 → 22 [SYN] Seq=0 Win=32120 Len=0 MSS=1460 SACK_PERM TSval=2099663009 TSecr=0 WS=512

The only portscan over a 20 minute timescan was this fellow:

19 466.667800 167.94.146.24 104.219.232.126 22 TCP 74 36027 → 22 [SYN] Seq=0 Win=42340 Len=0 MSS=1460 SACK_PERM TSval=1728927577 TSecr=0 WS=1024

So no, there is no scanning going on on my machine.

I attached the file if you want to take a look in Wireshark or whatever else parser you use.

P.S: Tor-relays moderators, maybe scrub the attachment as it can be used to track down part of a circuit.

All the best,
-GH
On Saturday, November 2nd, 2024 at 2:47 PM, George Hartley <hartley_george@xxxxxxxxx> wrote:

Hello,

I do operate an exit node which rejects exits on port 22.

You should, by default, change your SSH port to a random 5 digit number:

Random.org Random Number Generator

And apply static IPTables rules to block connection spam even if someone portscans your system (make sure to apply this rule to your random port, I just set the port here to 22):

$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --name SSH -j DROP
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Also, disable password-based authentication entirely, and go for at least RSA4096 or even better ED25519 login rendezvous.

I promise to later do a tcpdump on my machine, and see if relays on the public lists are more affected then your average "normal" server.

Of course there are always machines, more often infected than not, scanning the IPv4
ranges for open SSH ports, which possible can be exploited.

Please wait for me reply in a few hours friend.

-GH

On Tuesday, October 29th, 2024 at 4:33 AM, Pierre Bourdon delroth@xxxxxxxxx wrote:

Hi relay ops,
By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Software Engineer @ Zürich, Switzerland
https://delroth.net/
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


Attachment: capture.pcap
Description: application/vnd.tcpdump.pcap

Attachment: publickey - hartley_george@proton.me - 0xAEE8E00F.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays