[tor-relays] Oubound Ports

Greg Moss gmoss82 at gmail.com
Sun Jul 13 21:59:16 UTC 2014 

Ryan - 

The remainder (I'm only including a subset of these
connections) are exiting my server on a random source port and connecting to
the destination server on it's port 22.



As long as I don't get flagged by my ISP I am ok with above.  As stated
below I was seeing traffic originating from source 22 on my relay which got
my attention (my relay is not listening on port 22).  I have since blocked
outbound port 22 and still seeing hits my ACL. My attack service is minimal
on the relay is running in a DMZ with ONLY Tor  OR port 8080  and DIR port
9030 exposed to the outside.  My concern is in the event it was somehow
compromised ( Tor exploit or some other type of attack) that I am able to
see and identify that "malicious"  traffic connection outbound.  That goes
along with opening up all outbound ports.  If a backdoor or Trojan happed to
get installed I want to be able to identify that traffic and ports used
assuming it doesn't wrap and tunnel it though the Tor service.

Greg




-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf
Of Ryan Getz
Sent: Sunday, July 13, 2014 12:23 PM
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] Oubound Ports

Hmm, I'm getting a bit confused now over the situation and perhaps I was
off-topic for this email chain.

I was talking about my server making connections to another server's ports
22 (destination port 22). This is what sets off monitoring at some service
providers as they will actively monitor some ports (22, 25, 53 are the three
most common as far as I know). This is usually a proactive measure to spot
potential abuses before they start receiving a large number of complaints
about their customers.

When I run the netstat -p command on my relay that was flagged by my
provider, I see something like:
# netstat -p | grep :ssh
tcp        0      0 localhost:ssh      192.111.148.38:50658   
ESTABLISHED
tcp        0      0 localhost:38923    42-2-24-248.static.:ssh
ESTABLISHED
tcp        0      0 localhost:38062    rainbowwarrior.tors:ssh
ESTABLISHED
tcp        0      0 localhost:43349    hosted-by.snel.com:ssh 
ESTABLISHED
tcp        0      0 localhost:41585    lumumba.torservers.:ssh
ESTABLISHED



The first result is incoming to my port 22 - to be expected, this is my own
SSH session. The remainder (I'm only including a subset of these
connections) are exiting my server on a random source port and connecting to
the destination server on it's port 22 (my output says :ssh, rather than :22
- this doesn't mean it's actually SSH traffic).

'lsof | grep :ssh' will also display the same:

~# lsof | grep :ssh
sshd      12635       root    3r     IPv4          768026447      0t0   
    TCP localhost:ssh->192.111.148.38:50658 (ESTABLISHED)
sshd      24893       root    3u     IPv4             158040      0t0   
    TCP *:ssh (LISTEN)
sshd      24893       root    4u     IPv6             158041      0t0   
    TCP *:ssh (LISTEN)
tor       28193 debian-tor     TCP
localhost:38062->rainbowwarrior.torservers.net:ssh (ESTABLISHED)
tor       28193 debian-tor     TCP
localhost:38923->42-2-24-248.static.netvigator.com:ssh (ESTABLISHED)
tor       28193 debian-tor     TCP
localhost:41585->lumumba.torservers.net:ssh (ESTABLISHED)

The part I'm still not fully understanding... just to use the two
torservers.net connections as an example, if I look at iptables, netstat or
lsof, it shows I connect to rainbowwarrior and Lumumba on those server's
port 22 (my source port is random - 22 is the destination port). However,
when I look up either server in Atlas or Globe, both appear to be configured
with OR port as 443. Therefore, I was expecting to see something more like:

debian-tor     TCP localhost:41585->lumumba.torservers.net:https
(ESTABLISHED)  (for port 443) 

As far as the comment on restricting what ports are available to be used for
the OR port, I cannot comment on whether ports should be restricted or
remain unrestricted. Having worked for a company that provides
hosting/dedicated servers, I have seen more and more companies begin to
implement proactive monitoring in an attempt to identify malicious traffic
being sourced from their network in recent years. While the number of
companies doing this remains small, it may be worth a larger discussion on
what would be best for Tor. I was able to keep my relay running by proving
that all of my outgoing connections to a destination port 22 were all Tor
relays and my server was not doing anything malicious. Many other
contributors of relays may have faced termination in a similar circumstance.


Greg - my understanding from your last email is that you see traffic exiting
*your* server on it's own port 22, to a random destination port.
the lsof command above should show what process on your server is
responsible for that traffic. However, especially if you have SSH listening
on port 22, I really would not expect port 22 to be used as a source port
for outgoing traffic on your server. As grarpamp pointed out, the first 1023
ports are usually excluded from being chosen as a source port and this
should be especially true if you have a service configured to listen on that
port.

Regards,
Ryan


On Sat, Jul 12, 2014, at 05:01 PM, Greg Moss wrote:
> When we say a process connects on port 22 we mean a process on the 
> local computer tries to connect to a remote computer on its port 22, 
> ie 22 is the "destination".  The process on the local computer will 
> use a random numbered "source" port (from 1 to 65535) on leaving the 
> local computer.
>  On the remote computer, there will be a process listening on its 
> inbound port 22.
> 
> I understand the dynamic port assignment computer initiating the 
> connection to "whatever" port the remote server is listening on . What 
> I am seeing is traffic sourced from port 22 on my relay and wondering 
> what process or program is initiating that connection......  I have 
> outbound port 22 blocked and am seeing a number of hits on the ACL
> 
> gm
> 
> -----Original Message-----
> From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On 
> Behalf Of krishna e bera
> Sent: Saturday, July 12, 2014 8:32 AM
> To: tor-relays at lists.torproject.org
> Subject: Re: [tor-relays] Oubound Ports
> 
> On 14-07-11 08:59 PM, Greg Moss wrote:
> > Alright - traffic is picking up a little after 24 hour. Netfow is 
> > showing a bunch of outbound SSH connections but for some reason cant 
> > see it in the syslog  going out. Added ACL for outbound SSH and will 
> > watch.  Not sure WTF all the SSH traffic is all about.
> 
> 
> Some clarification may help regarding what ports are and how they are 
> used.
> (Corrections welcome.)
> 
> When we say a process connects on port 22 we mean a process on the 
> local computer tries to connect to a remote computer on its port 22, 
> ie 22 is the "destination".  The process on the local computer will 
> use a random numbered "source" port (from 1 to 65535) on leaving the 
> local computer.
>  On the remote computer, there will be a process listening on its 
> inbound port 22.
> 
> The local process may or may not be SSH, and the remote process may or 
> may not be SSHD - it is up to each computer's owner how they configure 
> the processes; port 22 is merely a convention for SSH that makes it 
> easy to remember and setup defaults.
> 
> (On Linux you can see what process is actually using each active 
> connection with "sudo netstat -p".  To see what processes are 
> listening on which ports on your computer, it would be "sudo netstat 
> -lp".)
> 
> If you are running a Tor exit node, you specify in the torrc to which 
> destination ports your Tor node will allow Tor users to connect.  If 
> your torrc says "ExitPolicy reject *:22" for example, it means your 
> exit node will not allow Tor users to connect to port 22, so don't 
> even try to route circuits through your node.  If your torrc doesnt 
> contain that line but your firewall blocks connections to port 22, it 
> means Tor users might try to do their SSH via your exit node and get 
> failed connections (and your node will eventually be labelled a 
> BadExit).
> 
> If you are running a non-exit, ie your torrc contains "ExitPolicy 
> reject *:*", then circuits traversing your relay will only connect to 
> other Tor nodes (on their advertised ORports); you cannot control what 
> numbers those ports are nor choose to which relays connections are 
> allowed.  In that case you should not see any connections to port 22, 
> except for the Tor process itself connnecting to other Tor relays 
> which happen to use that as their ORport.
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list