IPFire Community

NTP Log Entries Towards TOR Exit Node

firewire (Martin Koller) 6 June 2025 05:31 1

Good morning, team.

In my logs I discovered regular entries for Port 123/UDP (NTP) from my iPFire IP to a Tor Exit Node. I’ve blocked Tor and I wonder how to find out where these log entries do come from.

07:19:17	BLKLST_TOR_ALL		UDP www.xxx.yyy.zzz	152.53.15.127 123
07:01:32	BLKLST_TOR_ALL		UDP www.xxx.yyy.zzz	152.53.15.127 123

whereas www.xxx.yyy.zzz is my IPFire IP.

Could this be a NATed device in BLUE/ORANGE/GREEN as well, or is this definitely the IPFire IP as shown in the logs?

Kind regards.

pscar13 (Phil SCAR) 6 June 2025 06:34 2

I also noticed that the NTP address pools were using addresses in the TOR network.
This shouldn’t be a problem since IPFire can block them, but I still changed the NTP server addresses to avoid them.

nickh (Nick Howitt) 6 June 2025 09:12 3

Conceptually, there is no reason why a TOR exit node cannot be an NTP time server as well.

pscar13 (Phil SCAR) 6 June 2025 10:13 4

No one is saying otherwise.
But we all know that not all TOR users are choirboys.
That’s why IPFire allows you to block them.

Edit: It’s a personal choice, not an obligation.

firewire (Martin Koller) 2 August 2025 05:52 5

I wonder why the previosly mentioned IP address 152.53.15.127 (mail.jabber-germany.de) seems now to be part of the at.pool.ntp.org as well.