On Fri, 18 Apr 2014 23:29:08 -0800 I beatthebastards@inbox.com wrote:
What can I do about this? The VPS business keeps saying this is reason to suspend?
Fri, 18 Apr 2014 02:05:04 -0400 VPS 11028 (192.3.42.25) has 24676 conntrack sessions Fri, 18 Apr 2014 02:05:09 -0400 VPS 11028 (192.3.42.25) has 24648 conntrack sessions Fri, 18 Apr 2014 02:05:14 -0400 VPS 11028 (192.3.42.25) has 23119 conntrack sessions Fri, 18 Apr 2014 02:05:19 -0400 VPS 11028 (192.3.42.25) has 20123 conntrack sessions Fri, 18 Apr 2014 20:48:24 -0400 VPS 11028 (192.3.42.25) has 311 SSH connections Fri, 18 Apr 2014 20:48:25 -0400 SUSPENDING VPS 11028 (192.3.42.25); it has 311 SSH connections
Hello,
Were you running an exit node there, with port 22 accepted in the exit policy? If so, someone might have been trying to brute-force SSH passwords via your exit node.
If not, then still these might have been Tor connections, but to other relays, as some of them have their ORPort set to 22. However I don't know if it's normal that you would have 311 connections to them, after all they are in a tiny minority (only 20 relays or so): http://torstatus.blutmagie.de/index.php?SR=ORPort&SO=Asc
tor-relays@lists.torproject.org