NethServer Version: 7.6
Hello everyone. I just installed a new NethServer instance to use as a Nextcloud server for a PoC. Right after the installation and system upgrade, I found that the yum package manager has connected to a chinese server (ip 202.121.199.235). I know that rpm repository mirrors can reside everywhere in the world, but I found this a little strange. The download size was just around 5.5 MB. Did you notice something similar with your installations?
Thank you in advance
Hi,
I don’t know how the activity checking is made.
But a chinese repository isn"t suspect: There’s nethserver chinese users too.
Is your interrogation is about fulling the repository with activities other than translation ones?
Ps: I’m now curious too
If i am not wrong, packages are signed and the sign is related to the hash of the package.
Therefore in the chinese repository there should be only a mirror of an existing package, without any modification.
I’ve never paid attention to the physical location of the mirrors I’m using. As @pike says, all the packages are GPG-signed, as is the repository data itself, and the GPG keys ship with the Nethserver distribution. As a result, they can’t be (inadvertently or deliberately) changed in transit without you knowing it.
Sure, all rpm packages are signed so there is no chance to download and install something dangerous, unless you don’t pay attention while trusting a new repository’s GPG key (I don’t think this is the case). But I was curious because I have about ten CentOS servers in my office (in Italy) and none of them ever connected to chinese repositories. This is the yum traffic graph of the last 30 days from my networks towards China IP addresses:
The source of the traffic is the newly installed Nethserver instance. I’m now trying to install an host based IDS on this server, just to try it against our SIEM and look at the events. I’ll update this thread if I’ll find something interesting.
According to APNIC this ip belongs to Shanghai University.
Hochiminh!!!
The screenshot has been taken from our Palo Alto firewall web interface.
I can’t find that IP address among those belonging to the CentOS/EPEL/Nethserver mirrors, yet. According to the AlienVault OTX portal, that ip should be related to the Eclipse project and other projects, nothing about CentOS itself, unless it is a really newly created mirror.
Maybe I’m not searching the right places, and don’t know how the CentOS servers query their yum repos…
