<html><head></head><body><div class="ydp89bb1fa2yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div><div>From the abuseipdb report, it almost seems like your server has been compromised and a rogue actor is attempting to ssh brute force attack the reporting plaintiffs' servers.</div><div><br></div><div>As suggested previously, use tcpdump on the server in question to confirm the outbound tcp/22 traffic.</div><div><br></div><div>If the issue is confirmed, you can configure the machine layer firewall to block all outbound tcp/22 traffic initiated from the server in question with iptables, etc.</div><div><br></div><div><span>I doubt it is Tor related.</span><br></div><div><span><br></span></div><div><span>Best Wishes!</span></div><div><span><br></span></div><div><br></div><div>Gary</div><div class="ydp89bb1fa2signature">—<br>This Message Originated by the Sun.<br>iBigBlue 63W Solar Array (~12 Hour Charge)<br>+ 2 x Charmast 26800mAh Power Banks<br>= iPhone XS Max 512GB (~2 Weeks Charged)</div></div>
<div><br></div><div><br></div>
<div id="ydp89bb1fa2yahoo_quoted_1272922923" class="ydp89bb1fa2yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Thursday, July 27, 2023, 2:14:52 PM MDT, John Crow via tor-relays <tor-relays@lists.torproject.org> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="ydp89bb1fa2yiv4002273532"><div> <div>Hello,</div><div><br clear="none"></div><div> It is honestly still puzzling to me considering that the relay wasn’t compromised or misconfigured.</div><div><br clear="none"></div><div>If you or anyone wants to check out the reports</div><div><a shape="rect" href="https://www.abuseipdb.com/check/23.132.184.31" rel="nofollow" target="_blank">https://www.abuseipdb.com/check/23.132.184.31</a><br clear="none"></div> <div><br clear="none"></div><div><div id="ydp89bb1fa2yiv4002273532yqtfd58187" class="ydp89bb1fa2yiv4002273532yqt3408646650"><br clear="none"></div></div><div id="ydp89bb1fa2yiv4002273532yqtfd08054" class="ydp89bb1fa2yiv4002273532yqt3408646650">On Wed, Jul 26, 2023 at 2:16 PM, mpan - tor-1qnuaylp at mpan.pl <<a shape="rect" href="mailto:On Wed, Jul 26, 2023 at 2:16 PM, mpan - tor-1qnuaylp at mpan.pl <<a href=" class="ydp89bb1fa2yiv4002273532" rel="nofollow" target="_blank">tor-1qnuaylp_at_mpan_pl_zcbqwoytkh@simplelogin.co</a>> wrote:<blockquote type="cite" class="ydp89bb1fa2yiv4002273532protonmail_quote"> > In the past 24 hrs, I have been receiving complaints from my hosting provider that they're receiving hundreds of abuse reports related to port scanning. I have no clue why I'm all of the sudden receiving abuse reports when this non-exit relay has been online for months without issues. In addition, I have other non-exit relays hosted by the same provider with no issues and more across other providers.<br clear="none">><br clear="none">> I proceeded to reinstall the OS and reconfigure Tor. I was then quickly notified by my hosting provider again of more abuse reports all showing port 22 as target port.<br clear="none">><br clear="none">> I have not changed my torrc at all and it's still setup as a non-exit relay. No other applications/services were installed alongside Tor. Tor Metrics does not show the relay as Exit either.<br clear="none">><br clear="none">> It feels like Tor Exit Traffic is leaking through my non-exit relay?<br clear="none">Hello,<br clear="none"><br clear="none"> To me it seems like bogus or invalid reports. With certainity over 19<br clear="none">in 20. The picture simply does not fit port scanning.<br clear="none"><br clear="none"> 1. Not only middle relays, but exit nodes can only perform complete<br clear="none">TCP connections. Port scanning usually involves a SYN or UDP scan, which<br clear="none">is technically not possible to be done using any Tor node.<br clear="none"><br clear="none"> 2. Even if we assume somebody is hurting oneself by performing a<br clear="none">full-connection TCP scan, you mention only one port is being reported. A<br clear="none">port scan involves many ports. And this is not merely pedanticism<br clear="none">regarding naming. The detection of a port scan relies on this. In other<br clear="none">words: there is no way to classify traffic as a port scan, if only one<br clear="none">port is affected.<br clear="none"><br clear="none"> Since only port 22 is affected and 22 is not a common port for Tor<br clear="none">relays, you may simply block egress traffic to this port altogether. The<br clear="none">same as IP address ranges for which reports come. If the reports<br clear="none">continue coming, you can be almost sure they are false. The little<br clear="none">uncertainity remains for some attacker having root (or above-root)<br clear="none">access to your machine, but this is not coming from your Tor relay.<br clear="none"><br clear="none"> Before blocking IP address ranges, check if they are not relays. I do<br clear="none">not want to make positive statements about one trying to affect Tor<br clear="none">network, but such a possibility should also not be excluded without<br clear="none">checking.<br clear="none"><br clear="none">Cheers<br clear="none">_______________________________________________<br clear="none">tor-relays mailing list<br clear="none">tor-relays@lists.torproject.org<br clear="none">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays<br clear="none"></blockquote></div></div></div><div class="ydp89bb1fa2yqt3408646650" id="ydp89bb1fa2yqtfd00415">_______________________________________________<br clear="none">tor-relays mailing list<br clear="none"><a shape="rect" href="mailto:tor-relays@lists.torproject.org" rel="nofollow" target="_blank">tor-relays@lists.torproject.org</a><br clear="none"><a shape="rect" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="nofollow" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br clear="none"></div></div>
</div>
</div></div></body></html>