Hi Folks:
I got an abuse complaint from my VPS host, because someone was using my exit node for port scanning. Here is the first bit of his (redacted) log.
Attack detail : 4K scans dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason 2016.05.14 17:13:47 CEST xxx.xxx.xxx.xxx:35008 xxx.xxx.xxx.xxx:22 TCP SYN 60 SCAN:SYN 2016.05.14 17:13:47 CEST xxx.xxx.xxx.xxx:46532 xxx.xxx.xxx.xxx:22 TCP SYN 60 SCAN:SYN 2016.05.14 17:13:47 CEST xxx.xxx.xxx.xxx:41718 xxx.xxx.xxx.xxx:22 TCP SYN 60 SCAN:SYN
Hosting dude says he'd appreciate it if I could prevent this, but I'm not sure how.
I'm afraid I don't have any logs - the VPS got reimaged.
Suggestions how to prevent or mitigate this are welcome.
Cheers,
K.
There's really nothing to do. Based on the limited logs, it looks like someone was just looking for open TCP port 22 (ssh). You can't really block the scans by source since you don't know the source address (because Tor). You could prevent connections to port 22, but that would prevent everyone else from using ssh through your exit, and also, it wouldn't stop port scanning of any other ports allowed through the exit.
I'd just explain you're running a Tor exit, and thus you cannot identify the source of the scan.
As common as port scanning is (and has been for as long as the Internet has been around), I'm surprised providers still worry about it this much.
Yeah, he knows, he'd just kind of like it to go away.
A bit of googling yielded something called tortunnel which links direct to the exit node and allows a scan. It'd be nice to make a bit of an effort though, so, anyone know how to interfere with that? It's Moxie, mind you, so it's probably bulletproof.
K.
On 21/05/16 21:46, Green Dream wrote:
There's really nothing to do. Based on the limited logs, it looks like someone was just looking for open TCP port 22 (ssh). You can't really block the scans by source since you don't know the source address (because Tor). You could prevent connections to port 22, but that would prevent everyone else from using ssh through your exit, and also, it wouldn't stop port scanning of any other ports allowed through the exit.
I'd just explain you're running a Tor exit, and thus you cannot identify the source of the scan.
As common as port scanning is (and has been for as long as the Internet has been around), I'm surprised providers still worry about it this much.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sat, 21 May 2016 22:35:33 +0100 ken@kenbaker.co.uk wrote:
Yeah, he knows, he'd just kind of like it to go away.
A bit of googling yielded something called tortunnel which links direct to the exit node and allows a scan. It'd be nice to make a bit of an effort though, so, anyone know how to interfere with that? It's Moxie, mind you, so it's probably bulletproof.
Run a version of tor more recent than 0.2.2.17-alpha.
https://trac.torproject.org/projects/tor/ticket/1751
tor-relays@lists.torproject.org
-
Green Dream -
ken@kenbaker.co.uk -
Yawning Angel