Hey John,
Perhaps one thing you can try in debugging is to run tcpdump on the server in question, to check if it is indeed sending out a lot of port-scanning packets. You can use the following command to filter for port 22 only. Make sure to test with tor turned off as well.
“sudo tcpdump -vv dst port 22 and host not 123.45.xx.xx”
(Since filter for port 22 will also capture your own ongoing ssh connection to the server, you need to fill in your own computer’s public IP address into the filter to suppress it.)
Cheers,
···
–
Danny
On Wed, Jul 26, 2023 at 7:07 PM John Crow via tor-relays <tor-relays@lists.torproject.org> wrote:
Hello all,
In the past 24 hrs, I have been receiving complaints from my hosting provider that they’re receiving hundreds of abuse reports related to port scanning. I have no clue why I’m all of the sudden receiving abuse reports when this non-exit relay has been online for months without issues. In addition, I have other non-exit relays hosted by the same provider with no issues and more across other providers.
I proceeded to reinstall the OS and reconfigure Tor. I was then quickly notified by my hosting provider again of more abuse reports all showing port 22 as target port.
I have not changed my torrc at all and it’s still setup as a non-exit relay. No other applications/services were installed alongside Tor. Tor Metrics does not show the relay as Exit either.
It feels like Tor Exit Traffic is leaking through my non-exit relay?
Has anyone else experienced any behavior similar to this? Any ideas on how to fix or prevent this?
prsv admin
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays