* Jan via tor-relays:
the abuse report goes like this
TIME (UTC) SRC SRC-PORT -> DST DST-PORT SIZE PROT 2025-10-14 22:37:13 188.40.xxx.yyy 45254 -> 96.9.98.2 443 74 TCP
Well, there's more, is there not? Hetzner reports of this kind typically list a whole range of destination IP addresses, i.e. portscans for network ranges (class C being pretty common).
so rather all fine and looks like legal tor traffic and still a false positive on hetzners side to me?
Portscans are /not/ fine. If you are not running an exit node, there is no reason for your node to connect to port 443 on a whole range of target hosts. That traffic is either spoofed, or something is very wrong on your node. However, if you are running an exit node, you can pretty much bet that some bozos will abuse it to run portscans. Occupational hazard. And it's not fine either. -Ralph