Roger,

You've confirmed my thoughts. I suspected that some people were bulk scanning relays/exits looking for open proxies too which is why I was curious if any other operators were seeing this. Thus far today I've got 175,000 connection attempts from 220 distinct IP addresses. I think I'll be sending some abuse emails and writing a new fail2ban rule!

Thanks,
Greg


On Thu, Feb 27, 2014 at 8:40 PM, Roger Dingledine <arma@mit.edu> wrote:
On Thu, Feb 27, 2014 at 11:39:55PM +0100, Jeroen Massar wrote:
> On 2014-02-27 23:12, Greg W wrote:
> > I turned on some logging on my firewall today to help troubleshoot and
> > issue and noticed a load of connections from external addresses to port
> > 9050 on my exit node. I don't think that should be publicly accessible.
> > Am I wrong about it being publicly accessible and does anyone else see
> > lots of connection attempts on that port?
>
> 9050 is the standard relay port, as other relays connect to your relay
> (and then, likely, exit), it is quite logical that you see those
> connections.

No, 9001 is the standard relay port. 9050 is the standard socks port.

Greg, try connecting to 9050 from outside your firewall, and see what
happens?

I think what you might be seeing is that some folks who sell lists of
open proxies have decided to scan Tor relays on port 9050, just in case
they left it open.

--Roger

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays