On Thu, Oct 03, 2024 at 01:44:26PM -0700, Sunil Mohan Adapa wrote: > Hi, > > The address seems to belong to a customer of Verizon in New Jersey. I doubt > if this related to NTP (pool- is the way Verizon gives names to each of the > IP they own).
You're correct. > To understand what the traffic is about, it would help to know the endpoint > of the connection on the FreedomBox side. You can get this by running 'ss -n > | grep <ip_address>'. Also check 'journalctl -f' to see if these are attempts $ ss -n | grep 108.50.237.254 (the IP address that shows up in iftop) tcp ESTAB 0 415 [::ffff:73.29.228.182]:443 [::ffff:108.50.237.254]:52119 > for a brute-force login (which are common on internet facing servers, for > which we have protections). More interestingly, I see plenty of these: Oct 03 22:28:25 fbx kernel: STATE_INVALID_DROP: IN=enp1s0 OUT= MAC=00:0d:b9:3f:92:a8:38:38:a6:47:66:97:08:00 SRC=23.88.44.223 DST=<my external IP> LEN=44 TOS=0x00 PREC=0x00 TTL=55 ID=3797 PROTO=TCP SPT=80 DPT=27437 WINDOW=16384 RES=0x00 ACK SYN URGP=0 The SRC IP is different for every entry. Probably faked, or if real maybe part of a DDOS. Sometimes the SRC and DST address are in IPV6. I suppose nothing can be done about this. > -- > Sunil Thanks for taking the time to clarify. Augustine _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
