TOR relay connections

instanttim
instanttim Member, Beta Tester Posts: 11
10 Comments Name Dropper Photogenic

my Fingbox is getting outside connections from known TOR relays according to my UniFi intrusion detection system.

does anyone know what might explain what I’m seeing?


Tagged:

Answers

  • rooted
    rooted Gulf Coast, USModerator Posts: 891
    250 Likes 500 Comments 50 Answers 25 Agrees
    ✭✭✭✭✭

    Are those ports actually open on the Fingbox? I just scanned mine and it has two open ports (80,44444), I don't have time to analyze the traffic but I'm sure both ports are by design.

    Any thoughts @Robin ?

  • instanttim
    instanttim Member, Beta Tester Posts: 11
    10 Comments Name Dropper Photogenic
    Endpoint scanner showed only 80 open on Fingbox. 
    Given the  firewall rules, for these outside IPs to hit the FingBox through NAT it would have had to reach out to them first (related and established rule).



  • rooted
    rooted Gulf Coast, USModerator Posts: 891
    250 Likes 500 Comments 50 Answers 25 Agrees
    ✭✭✭✭✭

    Fing crew is off on the weekend, it's early Monday morning in Europe so hopefully @Robin will be able to let you know if they indeed use Tor for some reason. I'm interested as this is the first time I've seen it mentioned.

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,885
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Hi @instanttim
    did you NAT the fingbox port 80 to the outside internet?
    In another case, external Internet should not be able to try and connect to Fingbox port 80. Fingbox port 80 is dedicated to device recognition: you can visit it from browsing-capable devices to get improved device recognition(Fing Recognition feature from Fing Desktop).
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • Scooby
    Scooby Member Posts: 178
    25 Answers 100 Comments 25 Awesomes 25 Likes
    ✭✭✭
    Another individual found port 44444 open, on their Fingbox, in this discussion:

    Although I don't have a Fingbox, curious what the port is for, but it would seem a "normal" port for the Fingbox, as two individuals have found it open.

  • Awakened316
    Awakened316 Member Posts: 1
    First Comment

    I also have a UniFi setup and I too have been receiving these Tor relay threat management alerts. They are from different IP addresses and using different ports to try to reach the Fingbox. I’m hoping someone can shed some light here.

    rootedinstanttim
  • instanttim
    instanttim Member, Beta Tester Posts: 11
    10 Comments Name Dropper Photogenic

    No @Robin , no port forwarding or extra firewall rules at all. Only allowing incoming related and established.

    I was able to trigger the intrusion warnings by visiting the same IP from my phone. Those IPs respond to http get requests by trying alternate ports? I don’t know enough about this...

  • instanttim
    instanttim Member, Beta Tester Posts: 11
    10 Comments Name Dropper Photogenic

    Every time I use a browser to try and access the IPs in the alerts, they trigger an intrusion alert. Just like I got while my Fingbox was running. Is there any reason the Fingbox would have been reaching out to these known TOR relays?

  • Scooby
    Scooby Member Posts: 178
    25 Answers 100 Comments 25 Awesomes 25 Likes
    ✭✭✭
    rooted
  • instanttim
    instanttim Member, Beta Tester Posts: 11
    10 Comments Name Dropper Photogenic
    Can someone from Fing confirm that Fingbox does NTP requests of these IPs? And if that's the case, then I think that should be changed because NTP requests shouldn't be resulting in the servers trying to connect back to me. Of interest when i make ntp requests of these IPs from the commandline, nothing happens except i get the time. If i try HTTP requests to the same IPs, i get these attempted connections back.
  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,885
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Can someone from Fing confirm that Fingbox does NTP requests of these IPs? And if that's the case, then I think that should be changed because NTP requests shouldn't be resulting in the servers trying to connect back to me. Of interest when i make ntp requests of these IPs from the commandline, nothing happens except i get the time. If i try HTTP requests to the same IPs, i get these attempted connections back.
    Can you please check if you are still getting TOR alerts? We have not been able to understand why other applications are trying to use ports used by Fingbox.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • Janssen
    Janssen Member Posts: 2
    First Comment
    edited April 3, 2020 #13
    I've been receiving these alerts as well for a week or two, and even this morning, at 5:44 AM, 6:04AM, and 7:35AM.  I've also been having instability on my network corresponding with the times of these alerts.  I'd unplugged Fingbox for a day or two, and things stabilized.  I've attached a screenshot.  After plugging it back in, the alerts came back, and I've had additional network stability issues.  All of these are from Fingbox IP.  It changed changed to a new DHCP address when I plugged it back in.
  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,885
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Janssen said:
    I've been receiving these alerts as well for a week or two, and even this morning, at 5:44 AM, 6:04AM, and 7:35AM.  I've also been having instability on my network corresponding with the times of these alerts.  I'd unplugged Fingbox for a day or two, and things stabilized.  I've attached a screenshot.  After plugging it back in, the alerts came back, and I've had additional network stability issues.  All of these are from Fingbox IP.  It changed changed to a new DHCP address when I plugged it back in.
    Are you also using any Unify systems? The IP in screenshot are being used for NTP (network time protocol). And, yes Fingbox device uses NTP to sync time at boot. Fingbox is the NTP client, so in case you see an NTP connection from outside to your network, it’s definitely not the fingbox. 
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • Janssen
    Janssen Member Posts: 2
    First Comment
    Robin said:
    Are you also using any Unify systems? The IP in screenshot are being used for NTP (network time protocol). And, yes Fingbox device uses NTP to sync time at boot. Fingbox is the NTP client, so in case you see an NTP connection from outside to your network, it’s definitely not the fingbox. 
    Yes, I'm also using UniFi platform, which over the past couple weeks has become very unstable.  I've been needing to reboot cable modem, router, access points, etc., regularly, and I've not had to historically do so.  I've unplugged my Fingbox again to see if the problem returns while it's off the network.  So far, I've only had issues when it's been plugged in, though I still can't say that it's coincidence or not at this point.
  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,885
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Janssen said:
    Yes, I'm also using UniFi platform, which over the past couple weeks has become very unstable.  I've been needing to reboot cable modem, router, access points, etc., regularly, and I've not had to historically do so.  I've unplugged my Fingbox again to see if the problem returns while it's off the network.  So far, I've only had issues when it's been plugged in, though I still can't say that it's coincidence or not at this point.
    It seems like the issue is with Users who have Unify Systems and the IP being used in the alerts is for NTP. Also, as Fingbox device uses NTP to sync time at boot. Fingbox is the NTP client, so in case you see an NTP connection from outside to your network, it’s definitely not the fingbox.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • BrianAker
    BrianAker Member Posts: 1
    First Comment
    What I believe is happening is that the Fingbox is making a query to pool.ntp.org, the NTP server then tries to probe the Fingbox. 
    The order of the events:  
    The Fingbox resolves the address pool.ntp.org and is provided an IP address to a randown NTP server. 
    The Fingbox then makes an NTP query to the server. 
    That server returns the NTP response and additionally probes the server that make the request.
    The Unifi router blocks the attempt(s) to probe the Fingbox.
    The probing is not that intelligent ( it could be the prober believes they have an open port on the device, but it could just as likely be attempting to exploit a well known issue for some other common IoT device ).
    Whatever the probe was, the Unifi gateway stopped it.
    One solution? Fing could use Google's, Facebook's, Apple's, etc... NTP servers instead of the NTP Pool.
  • Sylviepipi
    Sylviepipi Member Posts: 3
    First Comment
    Received the same issue

    Threat Management Alert 2: Misc Attack. Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 838. From: 88.99.86.9:80, to: xxxx:58236, protocol: TCP