Heavy traffic LAN to WAN

NethServer Version: 7.9.2009 (final)
Module: Findout.
My production box is behind a fortigate firewall and NAT is enabled public IP to pvt IP to allow traffic.
Recently got a message from my firewall as follows…

Message meets Alert condition
date=2021-08-17 time=22:09:24 devname=FortiGate-100F devid=XXXXXXX logid=“0000000013” type=“traffic” subtype=“forward” level=“notice” vd=“root” eventtime=1629218364801754059 tz="+0530" srcip=10.44.XX.XXX srcport=47730 srcintf=“lan” srcintfrole=“lan” dstip= dstport=22 dstintf=“wan1” dstintfrole=“wan” poluuid=“9c283de0-ff71-51eb-7419-5df973f95b4f” sessionid=2638695 proto=6 action=“deny” policyid=13 policytype=“policy” service="SSH" dstcountry=“Netherlands” srccountry=“Reserved” trandisp=“noop” duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=“unscanned” crscore=30 craction=131072 crlevel=“high”

Am unable to find which service is using SSH service to send traffic to unknown servers and due this my IP is getting blacklisted regularly.
Please help me to identify and fix.
Attaching the blocklist information as image

Hi bainwave, that’s an nasty and serious issue you have at hand here.

The description ‘My production box is behind a fortigate firewall’ does not say much about your network setup: ie is your fortigate firewall also the gateway for all the clients in the LAN or is the nethserver the gateway?

then should we assume 10.44.XX.XXX is the ip of the nethsever?
If ihe netserver is is the gateway this does not say that much as any client on the lan would pass its traffic though nethserver.

In the end of the day, what i’m trying to say: are you sure the nethserver is the initiator of the “bad ssh” behavior or can it be an other client in the network

AFAIK no nethsever module initiates an ssh connection.

1 Like


I agree that this looks nasty.

The IP in question is a hosted IP at Nice-IT in the Netherlands (Holland).

There is a ssh server running there, a webserver is also running, but completly unconfigured. Looks suspiscious! The type of: “I smell a rotten fish”…

I do know Fortinet, they make quite expensive, restrictive but also quite capable firewalls.
I think we can safely assume that the Fortinet is the default gateway for the LAN in question… :slight_smile:

As VERY restrictive, Fortinet does occasionally produce false positives, especially in the area of OpenSource. MESH-Central is a good example it will block, even if it’s your own server.

I also quite agree that no known service on NethServer initiates a SSH connection. There is, if you’ve agreed to NethServer Stats - a “call home” function (Helping devs and for stats), but that uses http/https…

You CAN eg setup a honeypot… eg a VM or real server with a matching routing and the IP and have a SSH server running there. That would enable you to find out if it’s using a ssh-cert, or a hardcoded user to connect…

My 2 cents

This is important:


Thanks @Andy & @mark_nl for immediate reply.
Double checked the firewall configuration and the logs of firewall also confirmed, the SSH traffic being generated from the production mail box.
I just wanted to start digging into the box, but failed.
Guide me which application / script / any other initiating the traffic.
Thanks in advance

Does Zabbix has SSH management module for retrieving data?
Zabbix anyway is not an official module and does not initiate any connection unless configured to…

1 Like



Use eg htop on the server.
Increase ssh logging on the server.
Check logs and htop when your Fortinet alarms you next time…

My 2 cents

1 Like

And this is a starter.
Which process uses this port, my best guess is apache.
Any extra websites installed on the server?

1 Like

Only nethserver modules installed. No other application is running.
Will post my observations once I follow your idea.
Zabbix is not installed on my box.
Thanks once again for the time you spent and support.

It looks like netstat could do what you need–run netstat -nptw and look for connections on port 22. It should show what program is causing the traffic.


Hello experts!!
I know am sounding weird, but to my surprise, there is no traffic block on firewall since yesterday, through LAN to WAN, where port 22 blocked, which means the traffic is not being generated.
Although, my issue is resolved, but still need to know what happened.
Any thoughts?