I turned on some logging on my firewall today to help troubleshoot and issue and noticed a load of connections from external addresses to port 9050 on my exit node. I don't think that should be publicly accessible. Am I wrong about it being publicly accessible and does anyone else see lots of connection attempts on that port?
Thanks, Greg
On 2014-02-27 23:12, Greg W wrote:
I turned on some logging on my firewall today to help troubleshoot and issue and noticed a load of connections from external addresses to port 9050 on my exit node. I don't think that should be publicly accessible. Am I wrong about it being publicly accessible and does anyone else see lots of connection attempts on that port?
9050 is the standard relay port, as other relays connect to your relay (and then, likely, exit), it is quite logical that you see those connections.
That is, unless you changed your port in torrc.
Providing more details about your setup (or the node name, so that it can be checked in atlas.torproject.org etc) would be very handy to make any kind of further comment though.
Greets, Jeroen
On Thu, Feb 27, 2014 at 11:39:55PM +0100, Jeroen Massar wrote:
On 2014-02-27 23:12, Greg W wrote:
I turned on some logging on my firewall today to help troubleshoot and issue and noticed a load of connections from external addresses to port 9050 on my exit node. I don't think that should be publicly accessible. Am I wrong about it being publicly accessible and does anyone else see lots of connection attempts on that port?
9050 is the standard relay port, as other relays connect to your relay (and then, likely, exit), it is quite logical that you see those connections.
No, 9001 is the standard relay port. 9050 is the standard socks port.
Greg, try connecting to 9050 from outside your firewall, and see what happens?
I think what you might be seeing is that some folks who sell lists of open proxies have decided to scan Tor relays on port 9050, just in case they left it open.
--Roger
Roger,
You've confirmed my thoughts. I suspected that some people were bulk scanning relays/exits looking for open proxies too which is why I was curious if any other operators were seeing this. Thus far today I've got 175,000 connection attempts from 220 distinct IP addresses. I think I'll be sending some abuse emails and writing a new fail2ban rule!
Thanks, Greg
On Thu, Feb 27, 2014 at 8:40 PM, Roger Dingledine arma@mit.edu wrote:
On Thu, Feb 27, 2014 at 11:39:55PM +0100, Jeroen Massar wrote:
On 2014-02-27 23:12, Greg W wrote:
I turned on some logging on my firewall today to help troubleshoot and issue and noticed a load of connections from external addresses to port 9050 on my exit node. I don't think that should be publicly accessible. Am I wrong about it being publicly accessible and does anyone else see lots of connection attempts on that port?
9050 is the standard relay port, as other relays connect to your relay (and then, likely, exit), it is quite logical that you see those connections.
No, 9001 is the standard relay port. 9050 is the standard socks port.
Greg, try connecting to 9050 from outside your firewall, and see what happens?
I think what you might be seeing is that some folks who sell lists of open proxies have decided to scan Tor relays on port 9050, just in case they left it open.
--Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Fri, Feb 28, 2014 at 09:22:10AM -0600, Greg W wrote:
Roger,
You've confirmed my thoughts. I suspected that some people were bulk scanning relays/exits looking for open proxies too which is why I was curious if any other operators were seeing this. Thus far today I've got 175,000 connection attempts from 220 distinct IP addresses. I think I'll be sending some abuse emails and writing a new fail2ban rule!
Great! Except, please hesitate before sending those abuse mails -- isn't that exactly the sort of thing that makes it hard for people to run Tor exits? :) We've only got this one Internet.
--Roger
Are you suggesting that the IP's making the connections are potentially exit nodes (they're not, I've checked) or that abuse email volume in general should be lowered regardless of the nature? Just trying to understand your sentiment here :)
Thanks, Greg
On Fri, Feb 28, 2014 at 9:29 AM, Roger Dingledine arma@mit.edu wrote:
On Fri, Feb 28, 2014 at 09:22:10AM -0600, Greg W wrote:
Roger,
You've confirmed my thoughts. I suspected that some people were bulk scanning relays/exits looking for open proxies too which is why I was curious if any other operators were seeing this. Thus far today I've got 175,000 connection attempts from 220 distinct IP addresses. I think I'll
be
sending some abuse emails and writing a new fail2ban rule!
Great! Except, please hesitate before sending those abuse mails -- isn't that exactly the sort of thing that makes it hard for people to run Tor exits? :) We've only got this one Internet.
--Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 02/28/2014 11:14 AM, Greg W wrote:
Are you suggesting that the IP's making the connections are potentially exit nodes (they're not, I've checked) or that abuse email volume in general should be lowered regardless of the nature? Just trying to understand your sentiment here :)
Why not firewall port 9050? If you need it for your own purposes, you can tunnel into your server. What's the point of allowing non-local connections on your Sock port?
It is firewalled. I should have said "connection attempts" in my first email.
On Sun, Mar 23, 2014 at 12:09 PM, Tora Tora Tora tor@allthatnet.com wrote:
On 02/28/2014 11:14 AM, Greg W wrote:
Are you suggesting that the IP's making the connections are potentially exit nodes (they're not, I've checked) or that abuse email volume in general should be lowered regardless of the nature? Just trying to understand your sentiment here :)
Why not firewall port 9050? If you need it for your own purposes, you can tunnel into your server. What's the point of allowing non-local connections on your Sock port?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Greg W -
Jeroen Massar -
Roger Dingledine -
Tora Tora Tora