[server-admins] firewall question, incoming from mail.crosswire.org

Karl Kleinpaste karl at kleinpaste.org
Sun Feb 18 07:09:49 MST 2018 

I'm experimenting with several aspects of my networking setups, both at
home and elsewhere, in particular with regard to what folks perceive as
ftp.xiphos.org. Now and then, I turn on firewall rejection logging for a
few hours or a day, to see what the next day's reports tell me about
attempted attacks from outside. Imagine my surprise in looking through
the system event log email, and finding:

1    mail.crosswire.org    pinkchip    LOGGED    9928/tcp
1    mail.crosswire.org    pinkchip    LOGGED    12712/tcp
1    mail.crosswire.org    pinkchip    LOGGED    26315/tcp
1    mail.crosswire.org    pinkchip    LOGGED    59779/tcp

In logwatch email:

>From 209.250.6.230 - 4 packets to tcp(9928,12712,26315,59779)

For some reason, mail.crosswire.org sent a few utterly random TCP SYN
packets my way around 5am yesterday.

Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=29712 DF PROTO=TCP
SPT=47138 DPT=9928 WINDOW=14600 RES=0x00 SYN URGP=0
Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=25996 DF PROTO=TCP
SPT=55280 DPT=59779 WINDOW=14600 RES=0x00 SYN URGP=0
Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=49165 DF PROTO=TCP
SPT=38550 DPT=12712 WINDOW=14600 RES=0x00 SYN URGP=0
Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=31602 DF PROTO=TCP
SPT=50726 DPT=26315 WINDOW=14600 RES=0x00 SYN URGP=0

The choice of ports is peculiar.

Do we need to be concerned that mail.crosswire.org has been compromised?
Or am I missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/server-admins/attachments/20180218/d630be63/attachment.html>

More information about the server-admins mailing list