PiAware connecting to known TOR relay for NTP

NeoDuder · August 1, 2017, 10:36am

I’ve been getting multiple alerts on my network warning of my PiAware attempting to connect to known TOR relays port 123. Obviously trying to update the time. I find it worrying that these NTP servers are also part of the TOR network. Is there a list of NTP servers that PiAware uses and where can I edit which ones are used?

N456TS · August 1, 2017, 11:09pm

Tor should not be involved in anyway. If this isn’t an erroneous error, you’ve been compromised.

The standard servers are:


0.debian.pool.ntp.org
1.debian.pool.ntp.org
2.debian.pool.ntp.org
3.debian.pool.ntp.org

You can check/change them by doing:


sudo pico /etc/ntp.conf

Did you leave the password the default??

Jranderson777 · August 2, 2017, 1:31am

Generally speaking the TOR network is a good thing for privacy protection and helping folks in authoritarian counties. But I have no idea why your PiAware box would be trying to contact a node in that network. …very strange.

NeoDuder · August 2, 2017, 12:11pm

N456TS:

Tor should not be involved in anyway. If this isn’t an erroneous error, you’ve been compromised.

The standard servers are:
0.debian.pool.ntp.org
1.debian.pool.ntp.org
2.debian.pool.ntp.org
3.debian.pool.ntp.org
You can check/change them by doing:
sudo pico /etc/ntp.conf
Did you leave the password the default??

Nope, first thing I changed. It’s perhaps a false positive, I’ll post the Snort alert next time I get it.

NeoDuder · August 2, 2017, 2:25pm

Ok, got an alert this afternoon…


2017-08-02 14:08:31     UDP	Misc Attack     213.202.247.35  123	172.16.20.130  41001   1:2522635  ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 318

The IP address resolves to “ole.klickmich.org”

Jranderson777 · August 2, 2017, 8:59pm

That remote address may also host a TOR node in addition to an NTP server, which would not be a problem. Lots of folks run them these days, and even more so after the recent NSA snooping revelations.

Netstat on 172.16.20.130 might tell you which process owns that socket?

Let us know what you discover.

NeoDuder · August 3, 2017, 9:21am

Nothing matching up with NetStat but I guess it’s nothing to really worry about. I’m getting quite a lot of alerts per day which are all blocked, I’m assuming that despite these connections being blocked there will be other NTP servers in the pool that aren’t also TOR nodes and should be connecting without issue. I’ll maybe run a packet capture just to confirm this.

N456TS · August 3, 2017, 4:21pm

Just change the NTP server settings to known local servers. I use a local university’s NTP servers.

SoNic67 · August 3, 2017, 9:18pm

I use:


server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org