On 2024-10-29 06:04, Toralf Förster via tor-relays wrote:
On 10/29/24 04:33, Pierre Bourdon wrote:
Some tcpdumps showing random RSTs coming back to my machines running relays (with no traffic being initiated by said machines beforehand):
You used somethign like this? :
tcpdump -i enp8s0 'tcp[13] & 4 != 0 && port 22'
You want source port of 22.
For RSTs: tcpdump -i enp8s0 'tcp[13] & 4 != 0 and src port 22' For SYN-ACKs: tcpdump -i eth0 'tcp[13] & 18 != 0 and src port 22'
I tend to use nft counters for stuff like this:
If you don't have a good nft accounting chains set up yet: nft create table ip accounting nft create chain ip accounting input { type filter hook input priority filter ; policy accept ; } nft create chain ip accounting output { type filter hook output priority filter ; policy accept ; }
And the the counter rule: nft add rule ip accounting input tcp sport 22 tcp flags == syn|ack counter
You can add them for other source ports too - might be useful to expand our scope to some other commonly abused ports like 25.
To check your counts: nft list table ip accounting