[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
On 2024-10-29 06:04, Toralf Förster via tor-relays wrote:
On 10/29/24 04:33, Pierre Bourdon wrote:
Some tcpdumps showing random RSTs coming back to my machines running
relays (with no traffic being initiated by said machines beforehand):
You used somethign like this? :
tcpdump -i enp8s0 'tcp[13] & 4 != 0 && port 22'
You want source port of 22.
For RSTs:
tcpdump -i enp8s0 'tcp[13] & 4 != 0 and src port 22'
For SYN-ACKs:
tcpdump -i eth0 'tcp[13] & 18 != 0 and src port 22'
I tend to use nft counters for stuff like this:
If you don't have a good nft accounting chains set up yet:
nft create table ip accounting
nft create chain ip accounting input { type filter hook input priority
filter \; policy accept \; }
nft create chain ip accounting output { type filter hook output priority
filter \; policy accept \; }
And the the counter rule:
nft add rule ip accounting input tcp sport 22 tcp flags == syn\|ack
counter
You can add them for other source ports too - might be useful to expand
our scope to some other commonly abused ports like 25.
To check your counts:
nft list table ip accounting
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays