Why is pfSense calling CZ?
-
This morning I noticed the following DENY logged:
Jul 22 05:00:05 LAN pfB_Europe_v4 (1770012069) TCP-S 192.168.1.100:40068 87.236.194.23:443 unassigned-87.236.194.23.cool... CZ Country
.What can I do to trace back the origin of this call (I'm assuming, perhaps incorrectly, that the
192.168.1.100
IP means that pfSense is forwarding a call from somewhere else)? -
@November said in Why is pfSense calling CZ?:
noticed the following DENY logged:
this means that you have set pfBlockerNG to full European IPv4 blocking
(it doesn't make much sense to block such a huge IPv4 range!!!)192.168.1.100 is the IP address of the pfSense box? (or an internal host address?)
pfBlockerNG intercepted TCP-"syn" and blocked it as it started towards CZ IP address
otherwise, this IP belongs to a Czech "hosting provider"
nslookup (sorry to show you in writing but can't post pictures in the forum, today):
unassigned-87.236.194.23.coolhousing.net (maybe it could be some CDN stuff)https://www.coolhousing.net/en
+++edit:
if you definitely think you want to protect yourself by blocking complete IP ranges (not a good idea), choose between the ones that are threatening via (e.g., DDoS, CoinMiner, botnet, etc.)
these can help:https://www.cybersecurity-insiders.com/list-of-countries-which-are-most-vulnerable-to-cyber-attacks/
https://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=18464&view=map
https://talosintelligence.com/ -
@DaddyGo ,
Yes, I've chosen to block CZ. I understand that in theory this shouldn't do anything. Considering something is trying to call CZ when no one in the household is awake, I'd like to know what that is.
The firewall's IP address is
192.168.1.1
. I'm assuming192.168.1.100
is coming from the firewall, too, since the LAN IP addresses don't start with192.168.1
. Perhaps this is a flawed assumption. If it is, it sounds like I should start blocking all calls from192.168.1.100
until I can track down its source. -
@November said in Why is pfSense calling CZ?:
87.236.194.23
Could be this CZ IP was sold/leased to someone else, maybe an ad server or such. Perhaps innocuous or perhaps you have malware. What device is 192.168.1.100?
-
@November said in Why is pfSense calling CZ?:
it sounds like I should start blocking all calls from 192.168.1.100
this would be a very rough intervention
detection, debugging (if any at all), it doesn't have to be this waywhat kind of device's IP address is 192.168.1.100
if we find out what triggers requests from the device to CZ
you can take action..+++edit:
probably some application initiates requests to this hosting provider on an intermediate network (CDN, datacenter IP, etc.)
this is not a real location, but it uses an https portBTW: the request does not reach because pfBlockerNG is working
do you hate CZ?
-
@provels "What device is 192.168.1.100?" is one of the root questions I'm trying to answer. Currently I'm turning off one or two devices at a time to try to track down which device it is. Any other suggestions?
-
@DaddyGo , I don't hate CZ but from what I've read and from my own experience working at a global Internet company, lots of hacking starts from that area.
-
This post is deleted! -
@jdeloach said in Why is pfSense calling CZ?:
IP address
192.168.1.100is the common address of most cable modems. This has always been the IP address of all cable modems that I've had in the past.192.168.100.1 ;)
-
@November
Ping 192.168.1.100 then do andarp -a
to see what MAC address has 1.100 and track down the MAC.
PS C:\Users\Me> arp -a Interface: 192.168.0.20 --- 0x17 Internet Address Physical Address Type 192.168.0.1 00-15-5d-00-14-30 dynamic 192.168.0.12 00-15-5d-00-14-2c dynamic 192.168.0.61 00-11-0a-54-23-14 dynamic 192.168.0.69 00-15-5d-00-14-4b dynamic 192.168.0.71 fc-03-9f-f8-86-d8 dynamic 192.168.0.100 0c-41-3e-91-6e-60 dynamic 192.168.0.101 30-0d-43-26-00-e8 dynamic 192.168.0.106 00-15-5d-00-14-45 dynamic 192.168.0.108 00-1e-64-4d-d0-2e dynamic 192.168.0.111 00-15-5d-00-14-2d dynamic 192.168.0.150 30-52-cb-e7-50-71 dynamic 192.168.0.200 00-00-f0-a3-f3-33 dynamic 192.168.0.204 00-09-b0-e6-5c-b0 dynamic 192.168.0.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.251 01-00-5e-00-00-fb static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static
Or try a
ping -an
and maybe it will resolve the device name.
PS C:\Users\Me> ping -an 192.168.0.150 Pinging XPS13 [192.168.0.150] with 32 bytes of data: Reply from 192.168.0.150: bytes=32 time=5ms TTL=128 Reply from 192.168.0.150: bytes=32 time=7ms TTL=128 Reply from 192.168.0.150: bytes=32 time=5ms TTL=128 Reply from 192.168.0.150: bytes=32 time=9ms TTL=128
-
@ptt , it turns out that
192.168.1.100
is the WAN IP address that my router is using.Thanks much, everyone!
The question now is why my router is calling out to CZ, UA, etc.
-
@November
Well, there are router exploits. You may want to search for your model and exploits. -
@provels , that's definitely one of my concerns.
I was just made aware of https://atlas.ripe.net/landing/probes-and-anchors/. Whenever I've done a who.is on the target IP addresses, RIPE does come up. I'll try whitelisting them and seeing if that helps.
-
@November
Maybe check here:
https://duckduckgo.com/?isource=infinity&iname=duckduckgo&itype=web&q=router+exploits+by+manufacturer&atb=v211-1&ia=web -
@November said in Why is pfSense calling CZ?:
lots of hacking starts from that area.
Interesting..
CZ country next to my place of birth, but I haven't heard of them yet such as harassment, hackers, etc., I worked as a computer scientist in Brno (city CZ) for a long time and it never arose.
I accept your position, if you feel that way