Re: [tor-relays] Receiving abuse reports for Non-Exit Relay

[Chris Enkidu-6]

As others have mentioned, this does not look like a Tor issue to me. It
more seems like a compromised or misconfigured server.

You mentioned you reinstalled the OS. Did you use the same root
password? My suggestion is that you go about this step by step. First
reinstall the OS with a different root password and no additional
software or configuration. Wait to see if you get any abuse reports. The
next step, install Tor and wait to see if you get an abuse report. And
the last step would be installing any additional packages that you might
be currently using for anything else if any.

This method could narrow down the cause.



On 7/23/2023 6:07 PM, John Crow via tor-relays wrote:
> Hello all,
>
> In the past 24 hrs, I have been receiving complaints from my hosting
> provider that they're receiving hundreds of abuse reports related to
> port scanning. I have no clue why I'm all of the sudden receiving
> abuse reports when this non-exit relay has been online for months
> without issues. In addition, I have other non-exit relays hosted by
> the same provider with no issues and more across other providers.
>
> I proceeded to reinstall the OS and reconfigure Tor.  I was then
> quickly notified by my hosting provider again of more abuse reports
> all showing port 22 as target port.
>
> I have not changed my torrc at all and it's still setup as a non-exit
> relay. No other applications/services were installed alongside Tor.
> Tor Metrics does not show the relay as Exit either.
>
> It feels like Tor Exit Traffic is leaking through my non-exit relay?
>
> Has anyone else experienced any behavior similar to this? Any ideas on
> how to fix or prevent this?
>
> prsv admin
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Receiving abuse reports for Non-Exit Relay

[Gary C. New via tor-relays]

>From the abuseipdb report, it almost seems like your server has been 
>compromised and a rogue actor is attempting to ssh brute force attack the 
>reporting plaintiffs' servers.
As suggested previously, use tcpdump on the server in question to confirm the 
outbound tcp/22 traffic.
If the issue is confirmed, you can configure the machine layer firewall to 
block all outbound tcp/22 traffic initiated from the server in question with 
iptables, etc.
I doubt it is Tor related.

Best Wishes!

Gary—
This Message Originated by the Sun.
iBigBlue 63W Solar Array (~12 Hour Charge)
+ 2 x Charmast 26800mAh Power Banks
= iPhone XS Max 512GB (~2 Weeks Charged) 

On Thursday, July 27, 2023, 2:14:52 PM MDT, John Crow via tor-relays 
 wrote:  
 
  Hello,
 It is honestly still puzzling to me considering that the relay wasn’t 
compromised or misconfigured.
If you or anyone wants to check out the 
reportshttps://www.abuseipdb.com/check/23.132.184.31
 

On Wed, Jul 26, 2023 at 2:16 PM, mpan - tor-1qnuaylp at mpan.pl 
 wrote:
 > In the past 24 hrs, I have been receiving complaints from my hosting 
 > provider that they're receiving hundreds of abuse reports related to port 
 > scanning. I have no clue why I'm all of the sudden receiving abuse reports 
 > when this non-exit relay has been online for months without issues. In 
 > addition, I have other non-exit relays hosted by the same provider with no 
 > issues and more across other providers.
>
> I proceeded to reinstall the OS and reconfigure Tor. I was then quickly 
> notified by my hosting provider again of more abuse reports all showing port 
> 22 as target port.
>
> I have not changed my torrc at all and it's still setup as a non-exit relay. 
> No other applications/services were installed alongside Tor. Tor Metrics does 
> not show the relay as Exit either.
>
> It feels like Tor Exit Traffic is leaking through my non-exit relay?
Hello,

 To me it seems like bogus or invalid reports. With certainity over 19
in 20. The picture simply does not fit port scanning.

 1. Not only middle relays, but exit nodes can only perform complete
TCP connections. Port scanning usually involves a SYN or UDP scan, which
is technically not possible to be done using any Tor node.

 2. Even if we assume somebody is hurting oneself by performing a
full-connection TCP scan, you mention only one port is being reported. A
port scan involves many ports. And this is not merely pedanticism
regarding naming. The detection of a port scan relies on this. In other
words: there is no way to classify traffic as a port scan, if only one
port is affected.

 Since only port 22 is affected and 22 is not a common port for Tor
relays, you may simply block egress traffic to this port altogether. The
same as IP address ranges for which reports come. If the reports
continue coming, you can be almost sure they are false. The little
uncertainity remains for some attacker having root (or above-root)
access to your machine, but this is not coming from your Tor relay.

 Before blocking IP address ranges, check if they are not relays. I do
not want to make positive statements about one trying to affect Tor
network, but such a possibility should also not be excluded without
checking.

Cheers
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
  ___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Receiving abuse reports for Non-Exit Relay

[John Crow via tor-relays]

   Hello,It is honestly still puzzling to me considering that the relay wasn’t compromised or misconfigured.If you or anyone wants to check out the reportshttps://www.abuseipdb.com/check/23.132.184.31 On Wed, Jul 26, 2023 at 2:16 PM, mpan - tor-1qnuaylp at mpan.pl  wrote:  > In the past 24 hrs, I have been receiving complaints from my hosting provider that they're receiving hundreds of abuse reports related to port scanning. I have no clue why I'm all of the sudden receiving abuse reports when this non-exit relay has been online for months without issues. In addition, I have other non-exit relays hosted by the same provider with no issues and more across other providers.>> I proceeded to reinstall the OS and reconfigure Tor.  I was then quickly notified by my hosting provider again of more abuse reports all showing port 22 as target port.>> I have not changed my torrc at all and it's still setup as a non-exit relay. No other applications/services were installed alongside Tor. Tor Metrics does not show the relay as Exit either.>> It feels like Tor Exit Traffic is leaking through my non-exit relay?Hello,   To me it seems like bogus or invalid reports. With certainity over 19in 20. The picture simply does not fit port scanning.  1. Not only middle relays, but exit nodes can only perform completeTCP connections. Port scanning usually involves a SYN or UDP scan, whichis technically not possible to be done using any Tor node.  2. Even if we assume somebody is hurting oneself by performing afull-connection TCP scan, you mention only one port is being reported. Aport scan involves many ports. And this is not merely pedanticismregarding naming. The detection of a port scan relies on this. In otherwords: there is no way to classify traffic as a port scan, if only oneport is affected.   Since only port 22 is affected and 22 is not a common port for Torrelays, you may simply block egress traffic to this port altogether. Thesame as IP address ranges for which reports come. If the reportscontinue coming, you can be almost sure they are false. The littleuncertainity remains for some attacker having root (or above-root)access to your machine, but this is not coming from your Tor relay.   Before blocking IP address ranges, check if they are not relays. I donot want to make positive statements about one trying to affect Tornetwork, but such a possibility should also not be excluded withoutchecking.Cheers___tor-relays mailing listtor-relays@lists.torproject.orghttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays




publicKey - Concept@proton.me - 0x30665F1F.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Receiving abuse reports for Non-Exit Relay

[Xiaoqi Chen (Danny)]

Hey John,

Perhaps one thing you can try in debugging is to run tcpdump on the server
in question, to check if it is indeed sending out a lot of port-scanning
packets. You can use the following command to filter for port 22 only. Make
sure to test with tor turned off as well.

"*sudo* *tcpdump -vv dst port 22 and host not 123.45.xx.xx*"

(Since filter for port 22 will also capture your own ongoing ssh connection
to the server, you need to fill in your own computer's public IP address
into the filter to suppress it.)

Cheers,
--
Danny

On Wed, Jul 26, 2023 at 7:07 PM John Crow via tor-relays <
tor-relays@lists.torproject.org> wrote:

> Hello all,
>
> In the past 24 hrs, I have been receiving complaints from my hosting
> provider that they're receiving hundreds of abuse reports related to port
> scanning. I have no clue why I'm all of the sudden receiving abuse reports
> when this non-exit relay has been online for months without issues. In
> addition, I have other non-exit relays hosted by the same provider with no
> issues and more across other providers.
>
> I proceeded to reinstall the OS and reconfigure Tor.  I was then quickly
> notified by my hosting provider again of more abuse reports all showing
> port 22 as target port.
>
> I have not changed my torrc at all and it's still setup as a non-exit
> relay. No other applications/services were installed alongside Tor. Tor
> Metrics does not show the relay as Exit either.
>
> It feels like Tor Exit Traffic is leaking through my non-exit relay?
>
> Has anyone else experienced any behavior similar to this? Any ideas on how
> to fix or prevent this?
>
> prsv admin
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] (no subject)

[amanyaz Amangeldiyew]

Hi. I am from. Turkmenistan. I have obtained obsf4 bridge from internet but
only ip address is readable. If anybody knows fully obsf4 bridge please
send me to my mail. Ip address is:

obsf4 93.104.161.141
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Receiving abuse reports for Non-Exit Relay

[Jonathan van der Steege]

Hello John,

Unfortunately I don't have an answer and are not familiar with this problem. 
It's not exactly clear to me what is scanning what. Are the complains about 
traffic coming from your relay as port scanning devices around the internet on 
port 22? Or lots of incoming traffic scanning your port 22 because it's open?
Which OS do you use?
Are they sure the IP address is your relay only? Or do you share an IP in a 
cluster for example?

It seems improbable that exit relay traffic is leaking through, as that would 
make many guard and middle relays sensitive for abuse complaints.

I hope someone has some insights about this and you can resolve your issue.

Regards,


 Original Message 
From: John Crow via tor-relays 
Sent: July 24, 2023 12:07:44 AM GMT+02:00
To: tor-relays@lists.torproject.org
Cc: ad...@prsv.ch
Subject: [tor-relays] Receiving abuse reports for Non-Exit Relay

Hello all,

In the past 24 hrs, I have been receiving complaints from my hosting provider 
that they're receiving hundreds of abuse reports related to port scanning. I 
have no clue why I'm all of the sudden receiving abuse reports when this 
non-exit relay has been online for months without issues. In addition, I have 
other non-exit relays hosted by the same provider with no issues and more 
across other providers.

I proceeded to reinstall the OS and reconfigure Tor.  I was then quickly 
notified by my hosting provider again of more abuse reports all showing port 22 
as target port.

I have not changed my torrc at all and it's still setup as a non-exit relay. No 
other applications/services were installed alongside Tor. Tor Metrics does not 
show the relay as Exit either.

It feels like Tor Exit Traffic is leaking through my non-exit relay?

Has anyone else experienced any behavior similar to this? Any ideas on how to 
fix or prevent this?

prsv admin
--
/ Jonathan van der Steege

My GnuPG key is: c6f32128e7522f4acb878d6a4a9f0b50ace75416
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Receiving abuse reports for Non-Exit Relay

[mpan]

In the past 24 hrs, I have been receiving complaints from my hosting provider 
that they're receiving hundreds of abuse reports related to port scanning. I 
have no clue why I'm all of the sudden receiving abuse reports when this 
non-exit relay has been online for months without issues. In addition, I have 
other non-exit relays hosted by the same provider with no issues and more 
across other providers.

I proceeded to reinstall the OS and reconfigure Tor.  I was then quickly 
notified by my hosting provider again of more abuse reports all showing port 22 
as target port.

I have not changed my torrc at all and it's still setup as a non-exit relay. No 
other applications/services were installed alongside Tor. Tor Metrics does not 
show the relay as Exit either.

It feels like Tor Exit Traffic is leaking through my non-exit relay?

Hello,

  To me it seems like bogus or invalid reports. With certainity over 19 
in 20. The picture simply does not fit port scanning.


 1. Not only middle relays, but exit nodes can only perform complete 
TCP connections. Port scanning usually involves a SYN or UDP scan, which 
is technically not possible to be done using any Tor node.


 2. Even if we assume somebody is hurting oneself by performing a 
full-connection TCP scan, you mention only one port is being reported. A 
port scan involves many ports. And this is not merely pedanticism 
regarding naming. The detection of a port scan relies on this. In other 
words: there is no way to classify traffic as a port scan, if only one 
port is affected.


  Since only port 22 is affected and 22 is not a common port for Tor 
relays, you may simply block egress traffic to this port altogether. The 
same as IP address ranges for which reports come. If the reports 
continue coming, you can be almost sure they are false. The little 
uncertainity remains for some attacker having root (or above-root) 
access to your machine, but this is not coming from your Tor relay.


  Before blocking IP address ranges, check if they are not relays. I do 
not want to make positive statements about one trying to affect Tor 
network, but such a possibility should also not be excluded without 
checking.


Cheers


OpenPGP_signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays