Could this be the real issue? https://delroth.net/posts/spoofed-mass-scan-abuse/ Greetz, Richie
Am 29.10.2024 um 15:12 schrieb mick mbm@rlogin.net:
On Tue, 29 Oct 2024 07:47:53 +0000 mick mbm@rlogin.net allegedly wrote:
Same here. Middle relay, automated abuse report forwarded by Hetzner, for alleged scans of TCP port 22 across several related IPv4 class-C networks. I wondered if that was a mistake on the reporting third party's end, but given that I am not the only on, it seems there is more to it.
Me too. Middle relay on Hetzner. Alleged SSH scans from my relay. I have not yet had time to investigate, but will do so later today.
Mick
I have taken a look at my relay and noted activity like this a short while ago.
105.812429380 202.91.162.47 → 95.216.198.252 TCP 54 22 → 18588 [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0 113.387329574 202.91.163.206 → 95.216.198.252 TCP 54 22 → 41567 [RST, ACK] Seq=1 Ack=1 Win=4128 Len=0
So - resets coming from a host I have not attempted to connect to.
I have informed hetzner and pointed them to the tor-project note at https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/85 given by Roger Dingledine.
Mick
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 blog: baldric.net
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays