On 14-07-11 08:59 PM, Greg Moss wrote:
Alright - traffic is picking up a little after 24 hour. Netfow is showing a bunch of outbound SSH connections but for some reason cant see it in the syslog going out. Added ACL for outbound SSH and will watch. Not sure WTF all the SSH traffic is all about.
Some clarification may help regarding what ports are and how they are used. (Corrections welcome.)
When we say a process connects on port 22 we mean a process on the local computer tries to connect to a remote computer on its port 22, ie 22 is the "destination". The process on the local computer will use a random numbered "source" port (from 1 to 65535) on leaving the local computer. On the remote computer, there will be a process listening on its inbound port 22.
The local process may or may not be SSH, and the remote process may or may not be SSHD - it is up to each computer's owner how they configure the processes; port 22 is merely a convention for SSH that makes it easy to remember and setup defaults.
(On Linux you can see what process is actually using each active connection with "sudo netstat -p". To see what processes are listening on which ports on your computer, it would be "sudo netstat -lp".)
If you are running a Tor exit node, you specify in the torrc to which destination ports your Tor node will allow Tor users to connect. If your torrc says "ExitPolicy reject *:22" for example, it means your exit node will not allow Tor users to connect to port 22, so don't even try to route circuits through your node. If your torrc doesnt contain that line but your firewall blocks connections to port 22, it means Tor users might try to do their SSH via your exit node and get failed connections (and your node will eventually be labelled a BadExit).
If you are running a non-exit, ie your torrc contains "ExitPolicy reject *:*", then circuits traversing your relay will only connect to other Tor nodes (on their advertised ORports); you cannot control what numbers those ports are nor choose to which relays connections are allowed. In that case you should not see any connections to port 22, except for the Tor process itself connnecting to other Tor relays which happen to use that as their ORport.