[server-admins] firewall question, incoming from mail.crosswire.org
DM Smith
dmsmith at crosswire.org
Sun Feb 18 11:22:07 MST 2018
I manually went through the logs for a 10 minute window around the time mentioned (I assumed that your server is EST. I adjusted 3 hrs for Phoenix.) That’s a lot of logs. All but the audit logs were timestamped. I wasn’t able to figure out the audit log wrt to date/time.
That said, I didn’t find any unusual activity.
I don’t know why the crosswire server reached out to the xiphos server.
DM
> On Feb 18, 2018, at 12:29 PM, DM Smith <dmsmith at crosswire.org> wrote:
>
> Looking. Don’t know enough about networking though…
>
> mail.crosswire.org <http://mail.crosswire.org/> is an alias for www.crosswire.org <http://www.crosswire.org/> and crosswire.org <http://crosswire.org/>. It may have nothing to do with mail.
>
> Personally, I think we always need to be concerned about the possibility of breaches. Thanks for the report.
>
> DM
>
>> On Feb 18, 2018, at 9:09 AM, Karl Kleinpaste <karl at kleinpaste.org <mailto:karl at kleinpaste.org>> wrote:
>>
>> I'm experimenting with several aspects of my networking setups, both at home and elsewhere, in particular with regard to what folks perceive as ftp.xiphos.org <ftp://ftp.xiphos.org/>. Now and then, I turn on firewall rejection logging for a few hours or a day, to see what the next day's reports tell me about attempted attacks from outside. Imagine my surprise in looking through the system event log email, and finding:
>>
>> 1 mail.crosswire.org <http://mail.crosswire.org/> pinkchip LOGGED 9928/tcp
>> 1 mail.crosswire.org <http://mail.crosswire.org/> pinkchip LOGGED 12712/tcp
>> 1 mail.crosswire.org <http://mail.crosswire.org/> pinkchip LOGGED 26315/tcp
>> 1 mail.crosswire.org <http://mail.crosswire.org/> pinkchip LOGGED 59779/tcp
>>
>> In logwatch email:
>>
>> From 209.250.6.230 - 4 packets to tcp(9928,12712,26315,59779)
>>
>> For some reason, mail.crosswire.org <http://mail.crosswire.org/> sent a few utterly random TCP SYN packets my way around 5am yesterday.
>>
>> Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT= MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230 DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=29712 DF PROTO=TCP SPT=47138 DPT=9928 WINDOW=14600 RES=0x00 SYN URGP=0
>> Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT= MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230 DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=25996 DF PROTO=TCP SPT=55280 DPT=59779 WINDOW=14600 RES=0x00 SYN URGP=0
>> Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT= MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230 DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=49165 DF PROTO=TCP SPT=38550 DPT=12712 WINDOW=14600 RES=0x00 SYN URGP=0
>> Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT= MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230 DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=31602 DF PROTO=TCP SPT=50726 DPT=26315 WINDOW=14600 RES=0x00 SYN URGP=0
>>
>> The choice of ports is peculiar.
>>
>> Do we need to be concerned that mail.crosswire.org <http://mail.crosswire.org/> has been compromised? Or am I missing something?
>> _______________________________________________
>> server-admins mailing list
>> server-admins at crosswire.org <mailto:server-admins at crosswire.org>
>> http://www.crosswire.org/mailman/listinfo/server-admins
>
> _______________________________________________
> server-admins mailing list
> server-admins at crosswire.org
> http://www.crosswire.org/mailman/listinfo/server-admins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/server-admins/attachments/20180218/6ed79ea3/attachment-0001.html>
More information about the server-admins
mailing list