Hi folks!
We're hunting down a mystery where two of our big university relays are
having troubles reaching the Tor directory authorities:
https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/86
Can you check to see if your relay is in a similar situation?
In particular, the situation to look for is "Tor process is
still running fine from your perspective, but, relay-search
(https://atlas.torproject.org/) says you are no longer running."
If your relay is in this situation, the next step is to check your Tor
logs, try to rule out other issues like firewall rules on your side,
and then (if you're able) to start exploring traceroutes to the directory
authority IP addresses vs other addresses. If you need more direct help,
we can help you debug or answer other questions on #tor-relays on IRC.
Thanks,
--Roger
Hi there.
I found the title of the above blog post highly ironic.
I run a Tor relay (middle and guard node). You appear to be sending
automated "abuse" reports to other ISPS as a result of what is
obviously (well obvious to anyone who studies the network traffic
properly) spoofed source address connections to SSH port 22 on random
servers around the net.
These "abuse" reports cause the ISP hosting the /real/ address of the
spoofed server to do one of two things. Either they just pass the
report on to the server admin for investigation, or they simply shut
down the srevr in question and lock the account of the operator. In
either case the perfectly innocent Tor server admin is highly
inconvenienced and the bad actor(s) doing the spoofing scans get the Tor
relay addresses blacklisted. This is detrimental to the health of the
Tor network.
Please look carefully at your automated abuse reporting system and add
some intelligence to it - preferably by getting a properly skilled
network administrator to look at the traffic /before/ firing off a
spurious report.
(Oh and BTW, SSH scanning at scale is so much part of the background
noise on the 'net that I am astounded that you should pay much
attention to it at all. I don't.)
Best
Mick
---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------