[tor-relays] Oubound Ports

Ryan Getz ryan2 at getzmail.com
Sun Jul 13 19:23:23 UTC 2014 

Hmm, I'm getting a bit confused now over the situation and perhaps I was
off-topic for this email chain.

I was talking about my server making connections to another server's
ports 22 (destination port 22). This is what sets off monitoring at some
service providers as they will actively monitor some ports (22, 25, 53
are the three most common as far as I know). This is usually a proactive
measure to spot potential abuses before they start receiving a large
number of complaints about their customers.

When I run the netstat -p command on my relay that was flagged by my
provider, I see something like:
# netstat -p | grep :ssh
tcp        0      0 localhost:ssh      192.111.148.38:50658   
ESTABLISHED
tcp        0      0 localhost:38923    42-2-24-248.static.:ssh
ESTABLISHED
tcp        0      0 localhost:38062    rainbowwarrior.tors:ssh
ESTABLISHED
tcp        0      0 localhost:43349    hosted-by.snel.com:ssh 
ESTABLISHED
tcp        0      0 localhost:41585    lumumba.torservers.:ssh
ESTABLISHED



The first result is incoming to my port 22 - to be expected, this is my
own SSH session. The remainder (I'm only including a subset of these
connections) are exiting my server on a random source port and
connecting to the destination server on it's port 22 (my output says
:ssh, rather than :22  - this doesn't mean it's actually SSH traffic).

'lsof | grep :ssh' will also display the same:

~# lsof | grep :ssh
sshd      12635       root    3r     IPv4          768026447      0t0   
    TCP localhost:ssh->192.111.148.38:50658 (ESTABLISHED)
sshd      24893       root    3u     IPv4             158040      0t0   
    TCP *:ssh (LISTEN)
sshd      24893       root    4u     IPv6             158041      0t0   
    TCP *:ssh (LISTEN)
tor       28193 debian-tor     TCP
localhost:38062->rainbowwarrior.torservers.net:ssh (ESTABLISHED)
tor       28193 debian-tor     TCP
localhost:38923->42-2-24-248.static.netvigator.com:ssh (ESTABLISHED)
tor       28193 debian-tor     TCP
localhost:41585->lumumba.torservers.net:ssh (ESTABLISHED)

The part I'm still not fully understanding... just to use the two
torservers.net connections as an example, if I look at iptables, netstat
or lsof, it shows I connect to rainbowwarrior and Lumumba on those
server's port 22 (my source port is random - 22 is the destination
port). However, when I look up either server in Atlas or Globe, both
appear to be configured with OR port as 443. Therefore, I was expecting
to see something more like:

debian-tor     TCP localhost:41585->lumumba.torservers.net:https
(ESTABLISHED)  (for port 443) 

As far as the comment on restricting what ports are available to be used
for the OR port, I cannot comment on whether ports should be restricted
or remain unrestricted. Having worked for a company that provides
hosting/dedicated servers, I have seen more and more companies begin to
implement proactive monitoring in an attempt to identify malicious
traffic being sourced from their network in recent years. While the
number of companies doing this remains small, it may be worth a larger
discussion on what would be best for Tor. I was able to keep my relay
running by proving that all of my outgoing connections to a destination
port 22 were all Tor relays and my server was not doing anything
malicious. Many other contributors of relays may have faced termination
in a similar circumstance. 

Greg - my understanding from your last email is that you see traffic
exiting *your* server on it's own port 22, to a random destination port.
the lsof command above should show what process on your server is
responsible for that traffic. However, especially if you have SSH
listening on port 22, I really would not expect port 22 to be used as a
source port for outgoing traffic on your server. As grarpamp pointed
out, the first 1023 ports are usually excluded from being chosen as a
source port and this should be especially true if you have a service
configured to listen on that port.

Regards,
Ryan


On Sat, Jul 12, 2014, at 05:01 PM, Greg Moss wrote:
> When we say a process connects on port 22 we mean a process on the local
> computer tries to connect to a remote computer on its port 22, ie 22 is
> the
> "destination".  The process on the local computer will use a random
> numbered
> "source" port (from 1 to 65535) on leaving the local computer.
>  On the remote computer, there will be a process listening on its inbound
> port 22.
> 
> I understand the dynamic port assignment computer initiating the
> connection
> to "whatever" port the remote server is listening on . What I am seeing
> is
> traffic sourced from port 22 on my relay and wondering what process or
> program is initiating that connection......  I have outbound port 22
> blocked
> and am seeing a number of hits on the ACL  
> 
> gm
> 
> -----Original Message-----
> From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On
> Behalf
> Of krishna e bera
> Sent: Saturday, July 12, 2014 8:32 AM
> To: tor-relays at lists.torproject.org
> Subject: Re: [tor-relays] Oubound Ports
> 
> On 14-07-11 08:59 PM, Greg Moss wrote:
> > Alright - traffic is picking up a little after 24 hour. Netfow is 
> > showing a bunch of outbound SSH connections but for some reason cant 
> > see it in the syslog  going out. Added ACL for outbound SSH and will 
> > watch.  Not sure WTF all the SSH traffic is all about.
> 
> 
> Some clarification may help regarding what ports are and how they are
> used.
> (Corrections welcome.)
> 
> When we say a process connects on port 22 we mean a process on the local
> computer tries to connect to a remote computer on its port 22, ie 22 is
> the
> "destination".  The process on the local computer will use a random
> numbered
> "source" port (from 1 to 65535) on leaving the local computer.
>  On the remote computer, there will be a process listening on its inbound
> port 22.
> 
> The local process may or may not be SSH, and the remote process may or
> may
> not be SSHD - it is up to each computer's owner how they configure the
> processes; port 22 is merely a convention for SSH that makes it easy to
> remember and setup defaults.
> 
> (On Linux you can see what process is actually using each active
> connection
> with "sudo netstat -p".  To see what processes are listening on which
> ports
> on your computer, it would be "sudo netstat -lp".)
> 
> If you are running a Tor exit node, you specify in the torrc to which
> destination ports your Tor node will allow Tor users to connect.  If your
> torrc says "ExitPolicy reject *:22" for example, it means your exit node
> will not allow Tor users to connect to port 22, so don't even try to
> route
> circuits through your node.  If your torrc doesnt contain that line but
> your
> firewall blocks connections to port 22, it means Tor users might try to
> do
> their SSH via your exit node and get failed connections (and your node
> will
> eventually be labelled a BadExit).
> 
> If you are running a non-exit, ie your torrc contains "ExitPolicy reject
> *:*", then circuits traversing your relay will only connect to other Tor
> nodes (on their advertised ORports); you cannot control what numbers
> those
> ports are nor choose to which relays connections are allowed.  In that
> case
> you should not see any connections to port 22, except for the Tor process
> itself connnecting to other Tor relays which happen to use that as their
> ORport.
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list