I use on several systems here. The firewall has "noticed"
several instances where all these systems are initiating
traffic with external sites(1). These occur during odd
hours when there is nobody using these systems, thus there
is some suspicion. The firewall has since blocked this suspect
> From tor-talk-boun...@lists.torproject.org Tue Mar 22 04:16:23 2011
(snippage...)
>
> I don't know if this is what you are talking about or not, but a while
> back I noticed port 22 (the traditional SSH port) traffic I wasn't
> expecting on one of my machines. Checking tor's cached-descrip
> Date: Tue, 22 Mar 2011 15:13:33 -0400
> From: Andrew Lewman
>
> How are you detecting ssh activity? actual protocol analysis or tcp
> port 22? There are valid relays on tcp port 22 which your tor client
> may connect to in the normal operation of tor.
>
having capturing ALL packets comin
> From: Benedikt Westermann
>
> Your machine, running a Tor client, initiates a connection to a machine
> on port 22. This is your situation as I understood it.
>
> All of the mentioned IPs are IPs of Tor nodes and all of them announcing
> port 22 as a listen port, e.g., Amunet9, a Tor router
> Wed, 23 Mar 2011 11:54:37 -0400 (EDT)
> From: cmeclax-sazri
>
> Telling ssh traffic from Tor traffic on port 22 is easy. The ssh connection
> begins with an exchange of ssh version numbers in the clear, then a list of
> ciphers. Connecting to a Tor port and sending an SSH version wil
Ooops... a typo in there. Also, reformatted the rule string to
make it more readable.
better make that:
iptables -A INPUT -p tcp \! -f -m connbytes --conbytes 0:255 \
-m state ESTABLISHED -m length --length 46:375 -m u32 \
--u32 "o>>22&0x3C@ 12>>26&0x3C@ 0=0x5353482D" -j DR
Yet another typo... the 1st char in the quoted-string for --u32 should
be the digit zero (0) instead of lower-case oh (o).
iptables -A INPUT -p tcp \! -f -m connbytes --conbytes 0:255 \
-m state ESTABLISHED -m length --length 46:375 -m u32 \
--u32 "0>>22&0x3C@ 12>>26&0x3C@ 0=0x53
