I keep getting security alerts from a remote client backup. The backups
always run to success. The IPs that are listed in the job log are different
every time and in various locations including some in Russia but also in
London and European data centres. There are no entries at all in the remote
client bacula log. This only happens with remote client backups, never with
local client backups.

It's not clear to me whether these alerts are coming from the DIR or being
sent to the Director by the client.

I'm not sure whether to just ignore these or take some steps to block them.
Is there an FD directive that would reject these perhaps?

Any advice welcomed.

Thanks

-Chris Wilkinson

---------- Forwarded message ---------
From: Bacula <winstonia...@gmail.com>
Date: Tue, 17 Sep 2024, 03:50
Subject: Bacula: Backup OK of Client:nuc2 Fileset:nuc2 Incremental
To: <root@localhost>


17-Sep 03:50 raspberrypi-dir JobId 7536: Start Backup JobId 7536,
Job=nuc2.2024-09-17_03.50.00_03
17-Sep 03:50 raspberrypi-dir JobId 7536: Using Device "qnap-usb3" to write.
17-Sep 03:50 raspberrypi-dir JobId 7536: Sending Accurate information to
the FD.
17-Sep 03:50 raspberrypi-sd JobId 7536: Volume "nuc2-incremental6040"
previously written, moving to end of data.
17-Sep 03:50 raspberrypi-sd JobId 7536: Ready to append to end of Volume
"nuc2-incremental6040" size=162,983,874
16-Sep 07:25 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.167. Len=-4.
17-Sep 03:50 raspberrypi-sd JobId 7536: Elapsed time=00:00:01, Transfer
rate=90.58 K Bytes/second
16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.159. Len=-4.
16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.148. Len=-4.
16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.154. Len=-4.
16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.155. Len=-2147483608.
16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.163. Len=49.
16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.163. Len=110.
16-Sep 07:27 nuc2 JobId 0: Security Alert: bsock.c:560 Read error from
client:87.236.176.156:9102: ERR=No data available
16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.156. Len=0.
16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.161. Len=-4.
16-Sep 07:28 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.178. Len=-4.
16-Sep 07:28 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.156. Len=-4.
16-Sep 07:28 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.170. Len=-4.
16-Sep 07:29 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.159. Len=-4.
16-Sep 07:29 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.152. Len=-4.
16-Sep 07:29 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.156. Len=-4.
16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.170. Len=-4.
16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.168. Len=0.
16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.171. Len=0.
16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 87.236.176.166. Len=-4.
16-Sep 19:54 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got
bad command from 80.66.76.134. Len=-4.
17-Sep 03:50 raspberrypi-sd JobId 7536: Sending spooled attrs to the
Director. Despooling 6,131 bytes ...
17-Sep 03:50 raspberrypi-dir JobId 7536: Bacula raspberrypi-dir 11.0.6
(10Mar22):
  Build OS:               aarch64-unknown-linux-gnu debian 11.3
  JobId:                  7536
  Job:                    nuc2.2024-09-17_03.50.00_03
  Backup Level:           Incremental, since=2024-09-16 03:50:03
  Client:                 "nuc2" 11.0.6 (10Mar22)
x86_64-pc-linux-gnu,debian,12.7
  FileSet:                "nuc2" 2023-09-26 03:50:00
  Pool:                   "nuc2-incremental" (From Job IncPool override)
  Catalog:                "MyCatalog" (From Pool resource)
  Storage:                "remote-clients" (From Job resource)
  Scheduled time:         17-Sep-2024 03:50:00
  Start time:             17-Sep-2024 03:50:05
  End time:               17-Sep-2024 03:50:13
  Elapsed time:           8 secs
  Priority:               10
  FD Files Written:       25
  SD Files Written:       25
  FD Bytes Written:       87,301 (87.30 KB)
  SD Bytes Written:       90,582 (90.58 KB)
  Rate:                   10.9 KB/s
  Software Compression:   50.0% 2.0:1
  Comm Line Compression:  None
  Snapshot/VSS:           no
  Encryption:             no
  Accurate:               yes
  Volume name(s):         nuc2-incremental6040
  Volume Session Id:      175
  Volume Session Time:    1725763550
  Last Volume Bytes:      163,075,762 (163.0 MB)
  Non-fatal FD errors:    0
  SD Errors:              0
  FD termination status:  OK
  SD termination status:  OK
  Termination:            Backup OK

17-Sep 03:50 raspberrypi-dir JobId 7536: Begin pruning Jobs older than 7
days .
17-Sep 03:50 raspberrypi-dir JobId 7536: Pruned 2 Jobs for client nuc2 from
catalog.
17-Sep 03:50 raspberrypi-dir JobId 7536: Begin pruning Files.
17-Sep 03:50 raspberrypi-dir JobId 7536: No Files found to prune.
17-Sep 03:50 raspberrypi-dir JobId 7536: End auto prune.

17-Sep 03:50 raspberrypi-dir JobId 7536: shell command: run AfterJob
"/home/pi/run-copy-job.sh nuc2-copy Incremental nuc2-Incremental
nuc2-copy-Incremental"
17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Connecting to Director
raspberrypi.fritz.box:9101
17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: 1000 OK: 10002
raspberrypi-dir Version: 11.0.6 (10 March 2022)
17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Enter a period to cancel
a command.
17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: run yes job=nuc2-copy
level=Incremental pool=nuc2-incremental nextpool=nuc2-copy-incremental
17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Using Catalog "MyCatalog"
17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Job queued. JobId=7537
17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: You have messages.
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Reply via email to