Firewall Blocklist - TOR Outgonig

Does anyone have an idea how I can find out at my home which system called the TOR IP address?


.
192.168.178.30 is my external IP address from the network of my ISP router (Fritz Box).

Could be a trojan? Port 123 (tcp/udp) :: SpeedGuide
UDP Port 123 is NTP, could be that there is a Time Sync server running on the same machine of a tor exit node, maybe to cordinate a DDOS attack? This blog post could be relevant.

Maybe, just in case, you could consider to redirect all the traffic to NTP servers (as well as DNS servers) to IPFire.

So the IP 192.168.178.30 is the external interface of my ipfire system. So it can come from a VM (QEMU) I run on the ipfire (Nextcloud, pihole, unifi ap, checkMK) or a system that hangs behind the ipFire.
ipfire itself is set as a time server (0.ipfire.pool.ntp.org) and retrieves data every 2 hours.
I could now turn off the service once and see if hits keep coming but I honestly can’t imagine it.

Yes, possibly the second one. Regardless, you should really consider keeping IPFire only for the job it is supposed to do: firewalling. I would move all those servers away from a VM running on top of IPFire and into a proper server box.

Exactly, this is why you want a rule on your firewall that will automatically redirect any NTP message from inside your LAN to IPFire, which will always connect to the IPFire pool and not to a random server hosting a tor exit node.

1 Like

I have extra powerful hardware to use QEMU on ipfire because I run it at home and don’t want a datacenter.

For DNS I already have such a rule and for NTP now too and hopefully it is set correctly. Let’s see what the log outputs.

In other words, you value here convenience over security. That’s fine, as long as you are aware of the risks. A virtual machine is not in a bullet proof isolation. An hack on Nextcloud instance guest, could lead to an owned host, which is the guardian angel of your entire network. Just be aware of that.

2 Likes

Can this be a coincidence?

I disable the NTP service once and see how the logs behave.

When I stop or disable the NTP service…



or activate it but do not make it available to the network


then there is no logging in the block list.


Last synchronization was at 22:10 but the last log entry at 16:40

So it must have to do with providing the NTP service on the network.

Update:

I suspect it’s currently my Ubuntu server running the Unifi AP controller because since I turned it off, there have been no log entries.

https://community.ipfire.org/t/errors-ntpdate-blacklisted-pool-adresses/8738/7?u=pablo78

1 Like