Ryan -
The remainder (I'm only including a subset of these connections) are exiting my server on a random source port and connecting to the destination server on it's port 22.
As long as I don't get flagged by my ISP I am ok with above. As stated below I was seeing traffic originating from source 22 on my relay which got my attention (my relay is not listening on port 22). I have since blocked outbound port 22 and still seeing hits my ACL. My attack service is minimal on the relay is running in a DMZ with ONLY Tor OR port 8080 and DIR port 9030 exposed to the outside. My concern is in the event it was somehow compromised ( Tor exploit or some other type of attack) that I am able to see and identify that "malicious" traffic connection outbound. That goes along with opening up all outbound ports. If a backdoor or Trojan happed to get installed I want to be able to identify that traffic and ports used assuming it doesn't wrap and tunnel it though the Tor service.
Greg
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Ryan Getz Sent: Sunday, July 13, 2014 12:23 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Oubound Ports
Hmm, I'm getting a bit confused now over the situation and perhaps I was off-topic for this email chain.
I was talking about my server making connections to another server's ports 22 (destination port 22). This is what sets off monitoring at some service providers as they will actively monitor some ports (22, 25, 53 are the three most common as far as I know). This is usually a proactive measure to spot potential abuses before they start receiving a large number of complaints about their customers.
When I run the netstat -p command on my relay that was flagged by my provider, I see something like: # netstat -p | grep :ssh tcp 0 0 localhost:ssh 192.111.148.38:50658 ESTABLISHED tcp 0 0 localhost:38923 42-2-24-248.static.:ssh ESTABLISHED tcp 0 0 localhost:38062 rainbowwarrior.tors:ssh ESTABLISHED tcp 0 0 localhost:43349 hosted-by.snel.com:ssh ESTABLISHED tcp 0 0 localhost:41585 lumumba.torservers.:ssh ESTABLISHED
The first result is incoming to my port 22 - to be expected, this is my own SSH session. The remainder (I'm only including a subset of these connections) are exiting my server on a random source port and connecting to the destination server on it's port 22 (my output says :ssh, rather than :22 - this doesn't mean it's actually SSH traffic).
'lsof | grep :ssh' will also display the same:
~# lsof | grep :ssh sshd 12635 root 3r IPv4 768026447 0t0 TCP localhost:ssh->192.111.148.38:50658 (ESTABLISHED) sshd 24893 root 3u IPv4 158040 0t0 TCP *:ssh (LISTEN) sshd 24893 root 4u IPv6 158041 0t0 TCP *:ssh (LISTEN) tor 28193 debian-tor TCP localhost:38062->rainbowwarrior.torservers.net:ssh (ESTABLISHED) tor 28193 debian-tor TCP localhost:38923->42-2-24-248.static.netvigator.com:ssh (ESTABLISHED) tor 28193 debian-tor TCP localhost:41585->lumumba.torservers.net:ssh (ESTABLISHED)
The part I'm still not fully understanding... just to use the two torservers.net connections as an example, if I look at iptables, netstat or lsof, it shows I connect to rainbowwarrior and Lumumba on those server's port 22 (my source port is random - 22 is the destination port). However, when I look up either server in Atlas or Globe, both appear to be configured with OR port as 443. Therefore, I was expecting to see something more like:
debian-tor TCP localhost:41585->lumumba.torservers.net:https (ESTABLISHED) (for port 443)
As far as the comment on restricting what ports are available to be used for the OR port, I cannot comment on whether ports should be restricted or remain unrestricted. Having worked for a company that provides hosting/dedicated servers, I have seen more and more companies begin to implement proactive monitoring in an attempt to identify malicious traffic being sourced from their network in recent years. While the number of companies doing this remains small, it may be worth a larger discussion on what would be best for Tor. I was able to keep my relay running by proving that all of my outgoing connections to a destination port 22 were all Tor relays and my server was not doing anything malicious. Many other contributors of relays may have faced termination in a similar circumstance.
Greg - my understanding from your last email is that you see traffic exiting *your* server on it's own port 22, to a random destination port. the lsof command above should show what process on your server is responsible for that traffic. However, especially if you have SSH listening on port 22, I really would not expect port 22 to be used as a source port for outgoing traffic on your server. As grarpamp pointed out, the first 1023 ports are usually excluded from being chosen as a source port and this should be especially true if you have a service configured to listen on that port.
Regards, Ryan
On Sat, Jul 12, 2014, at 05:01 PM, Greg Moss wrote:
When we say a process connects on port 22 we mean a process on the local computer tries to connect to a remote computer on its port 22, ie 22 is the "destination". The process on the local computer will use a random numbered "source" port (from 1 to 65535) on leaving the local computer. On the remote computer, there will be a process listening on its inbound port 22.
I understand the dynamic port assignment computer initiating the connection to "whatever" port the remote server is listening on . What I am seeing is traffic sourced from port 22 on my relay and wondering what process or program is initiating that connection...... I have outbound port 22 blocked and am seeing a number of hits on the ACL
gm
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of krishna e bera Sent: Saturday, July 12, 2014 8:32 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Oubound Ports
On 14-07-11 08:59 PM, Greg Moss wrote:
Alright - traffic is picking up a little after 24 hour. Netfow is showing a bunch of outbound SSH connections but for some reason cant see it in the syslog going out. Added ACL for outbound SSH and will watch. Not sure WTF all the SSH traffic is all about.
Some clarification may help regarding what ports are and how they are used. (Corrections welcome.)
When we say a process connects on port 22 we mean a process on the local computer tries to connect to a remote computer on its port 22, ie 22 is the "destination". The process on the local computer will use a random numbered "source" port (from 1 to 65535) on leaving the local computer. On the remote computer, there will be a process listening on its inbound port 22.
The local process may or may not be SSH, and the remote process may or may not be SSHD - it is up to each computer's owner how they configure the processes; port 22 is merely a convention for SSH that makes it easy to remember and setup defaults.
(On Linux you can see what process is actually using each active connection with "sudo netstat -p". To see what processes are listening on which ports on your computer, it would be "sudo netstat -lp".)
If you are running a Tor exit node, you specify in the torrc to which destination ports your Tor node will allow Tor users to connect. If your torrc says "ExitPolicy reject *:22" for example, it means your exit node will not allow Tor users to connect to port 22, so don't even try to route circuits through your node. If your torrc doesnt contain that line but your firewall blocks connections to port 22, it means Tor users might try to do their SSH via your exit node and get failed connections (and your node will eventually be labelled a BadExit).
If you are running a non-exit, ie your torrc contains "ExitPolicy reject *:*", then circuits traversing your relay will only connect to other Tor nodes (on their advertised ORports); you cannot control what numbers those ports are nor choose to which relays connections are allowed. In that case you should not see any connections to port 22, except for the Tor process itself connnecting to other Tor relays which happen to use that as their ORport.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays