Blog | G5 Cyber Security

Block Tor: Test Connection to Entry Nodes

G5 Cyber Security

TL;DR

This guide shows you how to block Tor traffic by actively testing connections to known Tor entry nodes (guard relays). If a connection succeeds, it’s likely someone is using Tor. This method isn’t foolproof but adds another layer of detection.

Blocking Tor By Trying to Connect to an Entry Node

  1. Get a List of Tor Entry Nodes: You need a current list of Tor entry nodes (also called guard relays). These change frequently. A reliable source is the official Tor project’s directory authority.
    • You can find lists online, often in plain text format. Search for “Tor entry node list” or “Tor guard relay list”.
    • Alternatively, you can use a script to fetch the list directly from the Tor network (more advanced – see Step 6).
  2. Choose a Testing Tool: Several tools can attempt connections. We’ll focus on nc (netcat) and telnet, as they are commonly available.
    • Netcat (nc): A versatile tool for making TCP/UDP connections.
    • Telnet: A simpler tool but less flexible than netcat.
  3. Test a Single Entry Node with Netcat: Try connecting to an entry node on the standard Tor port (9001). 
    nc -zv <entry_node_IP> 9001
    • Replace <entry_node_IP> with the actual IP address of a Tor entry node.
    • If the connection succeeds, you’ll see output indicating a successful connection (e.g., “Connection to <entry_node_IP&gt> port 9001 [tcp/*] succeeded!”). A timeout or refusal usually means no Tor is running on that IP/port.
  4. Test a Single Entry Node with Telnet: Similar to netcat. 
    telnet <entry_node_IP> 9001
    • Replace <entry_node_IP> with the IP address.
    • If you get a connection, you’ll see some garbled output or a blank screen (depending on the node’s configuration). A “Connection refused” error means no Tor is running.
  5. Automate Testing with a Script: To test multiple nodes efficiently, use a script. 
    #!/bin/bash
# Read entry node IPs from a file (one IP per line)
while read -r ip;
do
  echo "Testing $ip..."
  nc -zv $ip 9001 > /dev/null 2>&1
  if [ $? -eq 0 ]; then
    echo "Connection to $ip succeeded! Possible Tor user."
  else
    echo "No connection to $ip."
  fi
done < entry_nodes.txt
    • Save this script (e.g., as test_tor.sh).
    • Create a file named entry_nodes.txt and put one Tor entry node IP address per line.
    • Make the script executable: chmod +x test_tor.sh
    • Run the script: ./test_tor.sh
  6. Advanced: Fetching Entry Node List Automatically (Linux): This requires curl and some basic scripting. 
    curl -s https://check.torproject.org/api/ip-list | jq -r '.entries[] | .address' > entry_nodes.txt
    • This command fetches the list from Tor Project’s API and saves it to entry_nodes.txt. You need to have jq installed (sudo apt install jq on Debian/Ubuntu).
    • Then, run the script from Step 6 using this updated entry_nodes.txt file.
  7. Firewall Rules: If a connection to an entry node succeeds consistently, you can block that IP address in your firewall.
    • iptables (Linux): 
      sudo iptables -A INPUT -s <entry_node_IP> -j DROP
    • ufw (Ubuntu): 
      sudo ufw deny from <entry_node_IP>
  8. Important Considerations:
    • False Positives: Some legitimate services might use similar ports. Blocking based solely on this test can cause issues.
    • Dynamic IPs: Entry node IP addresses change frequently, so you’ll need to update your blocklists regularly.
    • Tor Bridges: This method won’t detect Tor users using bridges (obfuscated entry nodes).
    • cyber security: This is one layer of cyber security; don’t rely on it as the only protection.
Exit mobile version