They are being sent to the Director by the client (nuc2). I suggest adding some firewall rules on nuc2 to only allow connections to port 9102 from the Director.
__Martin >>>>> On Tue, 17 Sep 2024 11:41:14 +0100, Chris Wilkinson said: > > I keep getting security alerts from a remote client backup. The backups > always run to success. The IPs that are listed in the job log are different > every time and in various locations including some in Russia but also in > London and European data centres. There are no entries at all in the remote > client bacula log. This only happens with remote client backups, never with > local client backups. > > It's not clear to me whether these alerts are coming from the DIR or being > sent to the Director by the client. > > I'm not sure whether to just ignore these or take some steps to block them. > Is there an FD directive that would reject these perhaps? > > Any advice welcomed. > > Thanks > > -Chris Wilkinson > > ---------- Forwarded message --------- > From: Bacula <winstonia...@gmail.com> > Date: Tue, 17 Sep 2024, 03:50 > Subject: Bacula: Backup OK of Client:nuc2 Fileset:nuc2 Incremental > To: <root@localhost> > > > 17-Sep 03:50 raspberrypi-dir JobId 7536: Start Backup JobId 7536, > Job=nuc2.2024-09-17_03.50.00_03 > 17-Sep 03:50 raspberrypi-dir JobId 7536: Using Device "qnap-usb3" to write. > 17-Sep 03:50 raspberrypi-dir JobId 7536: Sending Accurate information to the > FD. > 17-Sep 03:50 raspberrypi-sd JobId 7536: Volume "nuc2-incremental6040" > previously written, moving to end of data. > 17-Sep 03:50 raspberrypi-sd JobId 7536: Ready to append to end of Volume > "nuc2-incremental6040" size=162,983,874 > 16-Sep 07:25 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.167. Len=-4. > 17-Sep 03:50 raspberrypi-sd JobId 7536: Elapsed time=00:00:01, Transfer > rate=90.58 K Bytes/second > 16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.159. Len=-4. > 16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.148. Len=-4. > 16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.154. Len=-4. > 16-Sep 07:26 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.155. Len=-2147483608. > 16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.163. Len=49. > 16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.163. Len=110. > 16-Sep 07:27 nuc2 JobId 0: Security Alert: bsock.c:560 Read error from > client:87.236.176.156:9102: ERR=No data available > 16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.156. Len=0. > 16-Sep 07:27 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.161. Len=-4. > 16-Sep 07:28 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.178. Len=-4. > 16-Sep 07:28 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.156. Len=-4. > 16-Sep 07:28 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.170. Len=-4. > 16-Sep 07:29 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.159. Len=-4. > 16-Sep 07:29 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.152. Len=-4. > 16-Sep 07:29 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.156. Len=-4. > 16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.170. Len=-4. > 16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.168. Len=0. > 16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.171. Len=0. > 16-Sep 07:30 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 87.236.176.166. Len=-4. > 16-Sep 19:54 nuc2 JobId 0: Security Alert: job.c:548 FD expecting Hello got > bad command from 80.66.76.134. Len=-4. > 17-Sep 03:50 raspberrypi-sd JobId 7536: Sending spooled attrs to the > Director. Despooling 6,131 bytes ... > 17-Sep 03:50 raspberrypi-dir JobId 7536: Bacula raspberrypi-dir 11.0.6 > (10Mar22): > Build OS: aarch64-unknown-linux-gnu debian 11.3 > JobId: 7536 > Job: nuc2.2024-09-17_03.50.00_03 > Backup Level: Incremental, since=2024-09-16 03:50:03 > Client: "nuc2" 11.0.6 (10Mar22) > x86_64-pc-linux-gnu,debian,12.7 > FileSet: "nuc2" 2023-09-26 03:50:00 > Pool: "nuc2-incremental" (From Job IncPool override) > Catalog: "MyCatalog" (From Pool resource) > Storage: "remote-clients" (From Job resource) > Scheduled time: 17-Sep-2024 03:50:00 > Start time: 17-Sep-2024 03:50:05 > End time: 17-Sep-2024 03:50:13 > Elapsed time: 8 secs > Priority: 10 > FD Files Written: 25 > SD Files Written: 25 > FD Bytes Written: 87,301 (87.30 KB) > SD Bytes Written: 90,582 (90.58 KB) > Rate: 10.9 KB/s > Software Compression: 50.0% 2.0:1 > Comm Line Compression: None > Snapshot/VSS: no > Encryption: no > Accurate: yes > Volume name(s): nuc2-incremental6040 > Volume Session Id: 175 > Volume Session Time: 1725763550 > Last Volume Bytes: 163,075,762 (163.0 MB) > Non-fatal FD errors: 0 > SD Errors: 0 > FD termination status: OK > SD termination status: OK > Termination: Backup OK > > 17-Sep 03:50 raspberrypi-dir JobId 7536: Begin pruning Jobs older than 7 days > . > 17-Sep 03:50 raspberrypi-dir JobId 7536: Pruned 2 Jobs for client nuc2 from > catalog. > 17-Sep 03:50 raspberrypi-dir JobId 7536: Begin pruning Files. > 17-Sep 03:50 raspberrypi-dir JobId 7536: No Files found to prune. > 17-Sep 03:50 raspberrypi-dir JobId 7536: End auto prune. > > 17-Sep 03:50 raspberrypi-dir JobId 7536: shell command: run AfterJob > "/home/pi/run-copy-job.sh nuc2-copy Incremental nuc2-Incremental > nuc2-copy-Incremental" > 17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Connecting to Director > raspberrypi.fritz.box:9101 > 17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: 1000 OK: 10002 > raspberrypi-dir Version: 11.0.6 (10 March 2022) > 17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Enter a period to cancel a > command. > 17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: run yes job=nuc2-copy > level=Incremental pool=nuc2-incremental nextpool=nuc2-copy-incremental > 17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Using Catalog "MyCatalog" > 17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: Job queued. JobId=7537 > 17-Sep 03:50 raspberrypi-dir JobId 7536: AfterJob: You have messages. > _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
