Block Tor: Test Connection to Entry Nodes

TL;DR

This guide shows you how to block Tor traffic by actively testing connections to known Tor entry nodes (guard relays). If a connection succeeds, it’s likely someone is using Tor. This method isn’t foolproof but adds another layer of detection.

Blocking Tor By Trying to Connect to an Entry Node

1. Get a List of Tor Entry Nodes: You need a current list of Tor entry nodes (also called guard relays). These change frequently. A reliable source is the official Tor project’s directory authority.
   • You can find lists online, often in plain text format. Search for “Tor entry node list” or “Tor guard relay list”.
   • Alternatively, you can use a script to fetch the list directly from the Tor network (more advanced – see Step 6).
2. Choose a Testing Tool: Several tools can attempt connections. We’ll focus on nc (netcat) and telnet, as they are commonly available.
   • Netcat (nc): A versatile tool for making TCP/UDP connections.
   • Telnet: A simpler tool but less flexible than netcat.
3. Test a Single Entry Node with Netcat: Try connecting to an entry node on the standard Tor port (9001).

   nc -zv <entry_node_IP> 9001

   • Replace <entry_node_IP> with the actual IP address of a Tor entry node.
   • If the connection succeeds, you’ll see output indicating a successful connection (e.g., “Connection to <entry_node_IP&gt> port 9001 [tcp/*] succeeded!”). A timeout or refusal usually means no Tor is running on that IP/port.
4. Test a Single Entry Node with Telnet: Similar to netcat.

   telnet <entry_node_IP> 9001

   • Replace <entry_node_IP> with the IP address.
   • If you get a connection, you’ll see some garbled output or a blank screen (depending on the node’s configuration). A “Connection refused” error means no Tor is running.
5. Automate Testing with a Script: To test multiple nodes efficiently, use a script.

   #!/bin/bash
   # Read entry node IPs from a file (one IP per line)
   while read -r ip;
   do
     echo "Testing $ip..."
     nc -zv $ip 9001 > /dev/null 2>&1
     if [ $? -eq 0 ]; then
       echo "Connection to $ip succeeded! Possible Tor user."
     else
       echo "No connection to $ip."
     fi
   done < entry_nodes.txt

   • Save this script (e.g., as test_tor.sh).
   • Create a file named entry_nodes.txt and put one Tor entry node IP address per line.
   • Make the script executable: chmod +x test_tor.sh
   • Run the script: ./test_tor.sh
6. Advanced: Fetching Entry Node List Automatically (Linux): This requires curl and some basic scripting.

   curl -s https://check.torproject.org/api/ip-list | jq -r '.entries[] | .address' > entry_nodes.txt

   • This command fetches the list from Tor Project’s API and saves it to entry_nodes.txt. You need to have jq installed (sudo apt install jq on Debian/Ubuntu).
   • Then, run the script from Step 6 using this updated entry_nodes.txt file.
7. Firewall Rules: If a connection to an entry node succeeds consistently, you can block that IP address in your firewall.
   • iptables (Linux):

     sudo iptables -A INPUT -s <entry_node_IP> -j DROP

   • ufw (Ubuntu):

     sudo ufw deny from <entry_node_IP>

8. Important Considerations:
   • False Positives: Some legitimate services might use similar ports. Blocking based solely on this test can cause issues.
   • Dynamic IPs: Entry node IP addresses change frequently, so you’ll need to update your blocklists regularly.
   • Tor Bridges: This method won’t detect Tor users using bridges (obfuscated entry nodes).
   • cyber security: This is one layer of cyber security; don’t rely on it as the only protection.