What does Nethserver do

Hi,

today I was looking up my NAT-list on my router (Hardware). I found a lot of entries on open sessions for the Nethserver. One IP, 45.133.1.99, occurs very often for Port 25:

By Change: Does this look similar with you, does anybody know that IP, do I need to fear some intrusion?

TIA
Thorsten

|Private IP|:Port|#Pseudo-Port|Peer-IP|:Port|Interface|
|172.17.0.12|25|25|45.133.1.99|59016|WAN1|
|172.17.0.12|25|25|45.133.1.99|59029|WAN1|
|172.17.0.12|25|25|45.133.1.99|59059|WAN1|
|172.17.0.12|25|25|45.133.1.99|59219|WAN1|
|172.17.0.12|25|25|45.133.1.99|59110|WAN1|
|172.17.0.12|25|25|45.133.1.99|59117|WAN1|
|172.17.0.12|25|25|45.133.1.99|59138|WAN1|
|172.17.0.12|25|25|45.133.1.99|59139|WAN1|
|172.17.0.12|25|25|85.202.169.52|62276|WAN1|
|172.17.0.12|25|25|45.133.1.99|59283|WAN1|
|172.17.0.12|25|25|85.202.169.52|62191|WAN1|
|172.17.0.12|25|25|45.133.1.99|59185|WAN1|
|172.17.0.12|25|25|85.202.169.52|62323|WAN1|
|172.17.0.12|25|25|45.133.1.99|59417|WAN1|
|172.17.0.12|25|25|45.133.1.99|59424|WAN1|
|172.17.0.12|25|25|45.133.1.99|59425|WAN1|
|172.17.0.12|25|25|45.133.1.99|59478|WAN1|
|172.17.0.12|25|25|45.133.1.99|59482|WAN1|
|172.17.0.12|25|25|45.133.1.99|59489|WAN1|
|172.17.0.12|25|25|45.133.1.99|59490|WAN1|
|172.17.0.12|25|25|85.202.169.52|62509|WAN1|
|172.17.0.12|25|25|45.133.1.99|59548|WAN1|
|172.17.0.12|25|25|85.202.169.52|62581|WAN1|
|172.17.0.12|25|25|45.133.1.99|59623|WAN1|
|172.17.0.12|25|25|45.133.1.99|59750|WAN1|
|172.17.0.12|25|25|85.202.169.52|62769|WAN1|
|172.17.0.12|25|25|45.133.1.99|59768|WAN1|
|172.17.0.12|25|25|45.133.1.99|59800|WAN1|
|172.17.0.12|25|25|45.133.1.99|59949|WAN1|
|172.17.0.12|25|25|45.133.1.99|59957|WAN1|
|172.17.0.12|25|25|85.202.169.52|63001|WAN1|
|172.17.0.12|25|25|45.133.1.99|60007|WAN1|
|172.17.0.12|25|25|45.133.1.99|60019|WAN1|
|172.17.0.12|25|25|85.202.169.52|63085|WAN1|
|172.17.0.12|25|25|45.133.1.99|60089|WAN1|
|172.17.0.12|25|25|45.133.1.99|60113|WAN1|
|172.17.0.12|25|25|85.202.169.52|63157|WAN1|
|172.17.0.12|25|25|45.133.1.99|60179|WAN1|
|172.17.0.12|25|25|45.133.1.99|60211|WAN1|
|172.17.0.12|25|25|45.133.1.99|60303|WAN1|
|172.17.0.12|25|25|45.133.1.99|60348|WAN1|
|172.17.0.12|65151|33919|1.1.1.1|53|WAN1|
|172.17.0.12|65151|33919|8.8.8.8|53|WAN1|
|172.17.0.12|25|25|45.133.1.99|60376|WAN1|
|172.17.0.12|25|25|85.202.169.52|63443|WAN1|
|172.17.0.12|25|25|85.202.169.52|63485|WAN1|
|172.17.0.12|25|25|45.133.1.99|60489|WAN1|
|172.17.0.12|25|25|85.202.169.52|63521|WAN1|
|172.17.0.12|25|25|45.133.1.99|60513|WAN1|
|172.17.0.12|25|25|45.133.1.99|60616|WAN1|
|172.17.0.12|25|25|45.133.1.99|60688|WAN1|
|172.17.0.12|25|25|45.133.1.99|60689|WAN1|
|172.17.0.12|25|25|45.133.1.99|60782|WAN1|
|172.17.0.12|25|25|45.133.1.99|60827|WAN1|
|172.17.0.12|25|25|45.133.1.99|60835|WAN1|
|172.17.0.12|25|25|45.133.1.99|60848|WAN1|
|172.17.0.12|25|25|45.133.1.99|60878|WAN1|
|172.17.0.12|25|25|45.133.1.99|60886|WAN1|
|172.17.0.12|25|25|45.133.1.99|60887|WAN1|
|172.17.0.12|25|25|45.133.1.99|60935|WAN1|
|172.17.0.12|25|25|45.133.1.99|61048|WAN1|
|172.17.0.12|25|25|45.133.1.99|61153|WAN1|
|172.17.0.12|25|25|45.133.1.99|61206|WAN1|
|172.17.0.12|25|25|45.133.1.99|61230|WAN1|
|172.17.0.12|25|25|45.133.1.99|61320|WAN1|
|172.17.0.12|25|25|45.133.1.99|61408|WAN1|
|172.17.0.12|25|25|45.133.1.99|61418|WAN1|
|172.17.0.12|25|25|195.133.40.113|60600|WAN1|
|172.17.0.12|25|25|45.133.1.99|61541|WAN1|
|172.17.0.12|25|25|45.133.1.99|61572|WAN1|
|172.17.0.12|25|25|45.133.1.99|61614|WAN1|
|172.17.0.12|25|25|45.133.1.99|61667|WAN1|
|172.17.0.12|25|25|45.133.1.99|61672|WAN1|
|172.17.0.12|25|25|85.202.169.52|64687|WAN1|
|172.17.0.12|25|25|45.133.1.99|61741|WAN1|
|172.17.0.12|25|25|45.133.1.99|61746|WAN1|
|172.17.0.12|33809|35345|162159200123|123|WAN1|
|172.17.0.12|25|25|45.133.1.99|61823|WAN1|
|172.17.0.12|25|25|85.202.169.52|64844|WAN1|
|172.17.0.12|25|25|45.133.1.99|61843|WAN1|
|172.17.0.12|25|25|45.133.1.99|61897|WAN1|
|172.17.0.12|25|25|45.133.1.99|61940|WAN1|
|172.17.0.12|34023|35559|130.60.204.10|123|WAN1|
|172.17.0.12|25|25|45.133.1.99|61994|WAN1|
|172.17.0.12|25|25|45.133.1.99|62018|WAN1|

Obviously, Fail2Ban did a good job
but - Why are there still open connections???

grafik2001×573 20.2 KB

Hi @thorsten

A bit more info:

TIP:

yum install -y whois

on your NethServer, and fail2ban will include whois info already in the mails…

My 2 cents
Andy

Bildschirmfoto 2022-01-19 um 17.44.37918×990 180 KB

@Andy_Wismer

I hope you agree if I just give 1ct :

• Of course I did a whois
• Whois became useless after DGSVO - main contact info is not available
• you do not have the slightes change to claim an abuse

Best regards
Thorsten

Hi @thorsten

Even before it was useless…

Ever tried to “claim” something from:

• Russia
• South / Central America
• Asia
• China

As long as someone is in a country which does not have extradition or respects european law (Add USA to the above list) it’s not futile, but the only one benefitting is your lawyer…

Whois does give enough info to decide if it’s a Provider / Hoster / legitimate Company…
Sometimes this can / will help…
Providers will often terminate a contract if there are several breaches / misuse.

You CAN complain to (Fill in your favorite Institution here, eg Davos, Bilderberg, UN…)…
Who knows - maybe someone will die laughing… One down, x more to go…

/sarcasm out

My 2 cents
Andy

Here is my report to abuse@serverion.com

Dear Admin-Collegue,

Herewith I report an attack from source 45.133.1.99 within your range on my public IP 80.254.xxx.yyy (domain mydomain.tld), mainly on port 25. Attacks occurred yesterday, Jan. 19th 2022. Further information may be taken from public forum of server-software provider.

https://community.nethserver.org/t/what-does-nethserver-do/19634/4

In order to put the effort for further evaluation at the hand of attacker’s ISP, detailed reports will be sent only upon request and reimbursement of costs in advance. Thank you for your understanding.

Best regards
…

@thorsten

Ever try to complain to Amazon about traffic from Alexa?
After all, they’re stealing your bandwidth…

A few years back, I did try that. It didn’t work. The Bozo went to orbit after leaving the gravitional pull. → He didn’t die laughing!

My router allows to define “world objects” allowing to block IPs based on geolocation. Any traffic from and to Russia (and mainly East Europe), China and some more are blocked completely on my end by default - to bad such rules are required

Unfortunately, your router (like mine) can’t detect the european / american PCs that are part of a Botnet controlled from one of those countries…

Oh, that is simple - I do not have an Alexa device - the best way to prevent :-).

Me neither, but those days such devices weren’t available. Alexa is web stats for advertisers…

… I know … also VPN …

Remember the time Microsoft said they achieved C2 security tests for Windows NT 4.0…

In the small print:

• Only when in a locked room
• Only when not connected to ANY network

In the small print they didn’t say why would anyone want to pay the electric bill for a locked away server which no one can access or use…

You you need to have a look an all other devices and apps …

you own a Miele@home device, e.g. a hover robot? … an android TV like Sony, a Sonos-Sound system, an Stiebel Eltron radiation control web portal … Do not forget about the spy apps on your kids smartphones - Clash of Clans, Candy Crush …