Hello, here is a 20 minute tcpdump using the PCAP format. There were only 19 packets inbound on port 22 during said time:
Interestingly, my server was communicating with some other server, making connections TO port 22.. I then looked up said IP in Metrics, and it was just as I assumed another Tor relay: 1 0.000000 104.219.232.126 135.148.149.23 22 TCP 74 37008 → 22 [SYN] Seq=0 Win=32120 Len=0 MSS=1460 SACK_PERM TSval=2099663009 TSecr=0 WS=512 The only portscan over a 20 minute timescan was this fellow: 19 466.667800 167.94.146.24 104.219.232.126 22 TCP 74 36027 → 22 [SYN] Seq=0 Win=42340 Len=0 MSS=1460 SACK_PERM TSval=1728927577 TSecr=0 WS=1024 So no, there is no scanning going on on my machine. I attached the file if you want to take a look in Wireshark or whatever else parser you use. P.S: Tor-relays moderators, maybe scrub the attachment as it can be used to track down part of a circuit. All the best, -GH On Saturday, November 2nd, 2024 at 2:47 PM, George Hartley <hartley_geo...@proton.me> wrote: > Hello, > > I do operate an exit node which rejects exits on port 22. > > You should, by default, change your SSH port to a random 5 digit number: > > Random.org Random Number Generator > > And apply static IPTables rules to block connection spam even if someone > portscans your system (make sure to apply this rule to your random port, I > just set the port here to 22): > > > $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name > > SSH > > $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update > > --seconds 300 --hitcount 4 --name SSH -j DROP > > $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT > > > Also, disable password-based authentication entirely, and go for at least > RSA4096 or even better ED25519 login rendezvous. > > > I promise to later do a tcpdump on my machine, and see if relays on the > public lists are more affected then your average "normal" server. > > > Of course there are always machines, more often infected than not, scanning > the IPv4 > ranges for open SSH ports, which possible can be exploited. > > > Please wait for me reply in a few hours friend. > > > -GH > > > On Tuesday, October 29th, 2024 at 4:33 AM, Pierre Bourdon delr...@gmail.com > wrote: > > > Hi relay ops, > > By any chance, any other relay ops seeing the same thing, or am I just > > going crazy? (it does kind of sound insane...) > > > Software Engineer @ Zürich, Switzerland > > https://delroth.net/ > > _______________________________________________ > > tor-relays mailing list > > tor-relays@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
capture.pcap
Description: application/vnd.tcpdump.pcap
publickey - hartley_george@proton.me - 0xAEE8E00F.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
