Tor server do network scan

Guys, I reconfigured one of my Tor server to act as an exit node.

  • port 80 and 443 were allowed.
    But within 24hours my Hosting provider disabled my IP on the Server due to network scans. Is it common that an exit node do network scans?


1 Like

This might have happened because someone used your server to enumerate port 80 & 443 on multiple net-blocks. I guess it’s more likely to happen on new exits, because a fresh IP is unlikely to be already blocked by a common IPS or firewall.
Maybe just ask your provider what the pattern was…

Well, the server from the US did a portscan on a server in JP.
A total scan of an /24 port 80
Does this make more sense to you?


Your provider seems to be a supporter of the “broken windows theory” and took your server offline.
Did you announce your plan of running a tor exit in advance? Then this would be a bit harsh i guess - if you did not, it might have been be a good plan to explain ahead. Some providers in the past even wanted to put tor servers in a separate net-segment (IP-range and traffic wise).
If you can’t find an agreement with your current provider, probably you should find another one which is more tor-(exit)-friendly.

Hope this won’t discourage you… :crossed_fingers:

Port scans are very common through the Tor network (for legitimate use-cases as well as with malicious intent). I’d wager that at any random moment in time, at least multiple port scans run through some of my Tor exit relays.

That being said, there are many concurrent port scans on the clear internet already (and again: both for legitimate use-cases and malicious use-cases) and they have become a significant and pretty much integral part of it so to speak. I’d wager Tor doesn’t change much about the amount or severity of port scans on the internet as a whole.

As a provider, blocking IP addresses that run port scans on your network is not that useful for the internet. But from a provider’s perspective there still are two advantages: it limits the amount of abuse complaints you have to deal with and in some cases it prevents lowering the reputation of the IP address or its subnet/block.

And do note that port scans are only one part of the issue. The real problem is what comes after the port scan: the massive and constant brute force efforts on unprotected/unshielded login pages (like Wordpress’ wp-admin, which by default is a pinnacle of bad security practices). Those tend to receive many more abuse complaints (mostly automated tools and individuals), legal complaints/requests (mostly banks/financial sector), formal requests (mostly governments) etc.

Like @atari mentions, it’s best to discuss running Tor with your provider up front. Some providers are proponents, some are against it. If you make sure everyone is on the same page beforehand, it’s less likely to get in to similar situations or to be disappointed :slight_smile: .

Well, I did not talk to them before, but they took the server immediately online as I mentioned the situation and reconfigured it to a relay only.
And I leave it this way, as the IP was also listed on and listed as a part of the ranbyus botnet.

btw. my provider is

thanks anyway guys.

1 Like

Hello SB,

yes Hetzner allows just midd and bridges, that means I got the same issue with exit relay, as you there.
However, I love Hetzners great machines, disks and services ; )

hell yeah, I am a customer for about nearly 21years. my first server was the entry server for 39€ with suse on it. :slight_smile:
those times… - preatty new to linux. once Y.A.S.T asked me: “do you really want to upgrade your glibc” - sure… never saw that OS again… :slight_smile: