PiAware connecting to known TOR relay for NTP


#1

I’ve been getting multiple alerts on my network warning of my PiAware attempting to connect to known TOR relays port 123. Obviously trying to update the time. I find it worrying that these NTP servers are also part of the TOR network. Is there a list of NTP servers that PiAware uses and where can I edit which ones are used?


#2

Tor should not be involved in anyway. If this isn’t an erroneous error, you’ve been compromised.

The standard servers are:


0.debian.pool.ntp.org
1.debian.pool.ntp.org
2.debian.pool.ntp.org
3.debian.pool.ntp.org

You can check/change them by doing:


sudo pico /etc/ntp.conf

Did you leave the password the default??


#3

Generally speaking the TOR network is a good thing for privacy protection and helping folks in authoritarian counties. But I have no idea why your PiAware box would be trying to contact a node in that network. …very strange.


#4

Nope, first thing I changed. It’s perhaps a false positive, I’ll post the Snort alert next time I get it.


#5

Ok, got an alert this afternoon…


2017-08-02 14:08:31     UDP	Misc Attack     213.202.247.35  123	172.16.20.130  41001   1:2522635  ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 318

The IP address resolves to “ole.klickmich.org


#6

That remote address may also host a TOR node in addition to an NTP server, which would not be a problem. Lots of folks run them these days, and even more so after the recent NSA snooping revelations. :laughing:

Netstat on 172.16.20.130 might tell you which process owns that socket?

Let us know what you discover.


#7

Nothing matching up with NetStat but I guess it’s nothing to really worry about. I’m getting quite a lot of alerts per day which are all blocked, I’m assuming that despite these connections being blocked there will be other NTP servers in the pool that aren’t also TOR nodes and should be connecting without issue. I’ll maybe run a packet capture just to confirm this.


#8

Just change the NTP server settings to known local servers. I use a local university’s NTP servers.


#9

I use:


server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org