[server-admins] firewall question, incoming from mail.crosswire.org

Troy A. Griffitts scribe at crosswire.org
Sun Feb 18 13:03:02 MST 2018 

A while back, we had a plan to show on the website all the modules available in our discoverable repositories. We still have a cron that runs each night to do an installmgr sync. That is the only thing I can think of that reached out to ftp.xiphos.org

On February 18, 2018 11:22:07 AM MST, DM Smith <dmsmith at crosswire.org> wrote:
>I manually went through the logs for a 10 minute window around the time
>mentioned (I assumed that your server is EST. I adjusted 3 hrs for
>Phoenix.) That’s a lot of logs. All but the audit logs were
>timestamped. I wasn’t able to figure out the audit log wrt to
>date/time.
>
>That said, I didn’t find any unusual activity.
>
>I don’t know why the crosswire server reached out to the xiphos server.
>
>DM
>
>> On Feb 18, 2018, at 12:29 PM, DM Smith <dmsmith at crosswire.org> wrote:
>> 
>> Looking. Don’t know enough about networking though…
>> 
>> mail.crosswire.org <http://mail.crosswire.org/> is an alias for
>www.crosswire.org <http://www.crosswire.org/> and crosswire.org
><http://crosswire.org/>. It may have nothing to do with mail.
>> 
>> Personally, I think we always need to be concerned about the
>possibility of breaches. Thanks for the report.
>> 
>> DM  
>> 
>>> On Feb 18, 2018, at 9:09 AM, Karl Kleinpaste <karl at kleinpaste.org
><mailto:karl at kleinpaste.org>> wrote:
>>> 
>>> I'm experimenting with several aspects of my networking setups, both
>at home and elsewhere, in particular with regard to what folks perceive
>as ftp.xiphos.org <ftp://ftp.xiphos.org/>. Now and then, I turn on
>firewall rejection logging for a few hours or a day, to see what the
>next day's reports tell me about attempted attacks from outside.
>Imagine my surprise in looking through the system event log email, and
>finding:
>>> 
>>> 1    mail.crosswire.org <http://mail.crosswire.org/>    pinkchip   
>LOGGED    9928/tcp
>>> 1    mail.crosswire.org <http://mail.crosswire.org/>    pinkchip   
>LOGGED    12712/tcp
>>> 1    mail.crosswire.org <http://mail.crosswire.org/>    pinkchip   
>LOGGED    26315/tcp
>>> 1    mail.crosswire.org <http://mail.crosswire.org/>    pinkchip   
>LOGGED    59779/tcp
>>> 
>>> In logwatch email:
>>> 
>>> From 209.250.6.230 - 4 packets to tcp(9928,12712,26315,59779) 
>>> 
>>> For some reason, mail.crosswire.org <http://mail.crosswire.org/>
>sent a few utterly random TCP SYN packets my way around 5am yesterday.
>>> 
>>> Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT=
>MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
>DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=29712 DF PROTO=TCP
>SPT=47138 DPT=9928 WINDOW=14600 RES=0x00 SYN URGP=0 
>>> Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT=
>MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
>DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=25996 DF PROTO=TCP
>SPT=55280 DPT=59779 WINDOW=14600 RES=0x00 SYN URGP=0 
>>> Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT=
>MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
>DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=49165 DF PROTO=TCP
>SPT=38550 DPT=12712 WINDOW=14600 RES=0x00 SYN URGP=0 
>>> Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT=
>MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
>DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=31602 DF PROTO=TCP
>SPT=50726 DPT=26315 WINDOW=14600 RES=0x00 SYN URGP=0 
>>> 
>>> The choice of ports is peculiar.
>>> 
>>> Do we need to be concerned that mail.crosswire.org
><http://mail.crosswire.org/> has been compromised? Or am I missing
>something?
>>> _______________________________________________
>>> server-admins mailing list
>>> server-admins at crosswire.org <mailto:server-admins at crosswire.org>
>>> http://www.crosswire.org/mailman/listinfo/server-admins
>> 
>> _______________________________________________
>> server-admins mailing list
>> server-admins at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/server-admins

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/server-admins/attachments/20180218/60f3c098/attachment.html>

More information about the server-admins mailing list