Greetings,
Can someone explain to me why ASL 1.01 is making outbound connections to 103.105.51.156 on port 123? Time sync is setup for my internal NTP server. Stock image from the dvswitch.org site running on a RPi. The hostname resolves to lax1.justaguy.be.
Anyone else see this?
I would block that with your firewall. Nothing in the ASL 1.01 image is set to connect to that FQDN or IP address. You will want to double check the security of your system as it appears to have been compromised.
Hello Ben,
Just a quick guess. If your Raspberry Pi is using DHCP. Then I would check your DHCP server. Most consumer-grade routers won’t let you edit the NTP server addresses. But most use the NTP address they get from the ISP. So the point is. Your router might have a hard NTP address configured. I would check your router in the DHCP fields and see if you can add a NTP address. Sometimes the router will allow you to add a dhcp option. NTP is option 42.
You can also check your ntp.conf file. cat /etc/ntp.conf
You can also check the ntp logs if there are any. cd /var/log/ntpstates Then use cat file.log | less Use the up and down arrows and q to quit.
David
KE6UPI
I run an enterprise firewall and am 100% certain that the NTP settings are correct as I have verified with the CLI on the ASL node.
The image is a fresh install of ASL 1.01 and so although I can (and did block) that IP address, it’s quite disturbing that the system should feel the need to talk with it…
I’m pouring over the system and monitoring with tcpdump to find the offending process…
So, here’s the findings. The stock image has the 4 entries for the debian ntp pool. It appears that ntpd learned of others from those 4 and made a few connection attempts. I see it in my logs starting 2 days ago. All ntpd’s doing.
Guess there is nothing to see here. phew…