• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Why is pfSense calling CZ?

Scheduled Pinned Locked Moved Firewalling
15 Posts 5 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DaddyGo @November
    last edited by DaddyGo Jul 23, 2020, 10:57 AM Jul 23, 2020, 10:50 AM

    @November said in Why is pfSense calling CZ?:

    noticed the following DENY logged:

    this means that you have set pfBlockerNG to full European IPv4 blocking
    (it doesn't make much sense to block such a huge IPv4 range!!!)

    192.168.1.100 is the IP address of the pfSense box? (or an internal host address?)

    pfBlockerNG intercepted TCP-"syn" and blocked it as it started towards CZ IP address

    otherwise, this IP belongs to a Czech "hosting provider"

    nslookup (sorry to show you in writing but can't post pictures in the forum, today):
    unassigned-87.236.194.23.coolhousing.net (maybe it could be some CDN stuff)

    https://www.coolhousing.net/en

    +++edit:
    if you definitely think you want to protect yourself by blocking complete IP ranges (not a good idea), choose between the ones that are threatening via (e.g., DDoS, CoinMiner, botnet, etc.)
    these can help:

    https://www.cybersecurity-insiders.com/list-of-countries-which-are-most-vulnerable-to-cyber-attacks/
    https://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=18464&view=map
    https://talosintelligence.com/

    Cats bury it so they can't see it!
    (You know what I mean if you have a cat)

    N 1 Reply Last reply Jul 23, 2020, 1:44 PM Reply Quote 0
    • N
      November @DaddyGo
      last edited by Jul 23, 2020, 1:44 PM

      @DaddyGo ,

      Yes, I've chosen to block CZ. I understand that in theory this shouldn't do anything. Considering something is trying to call CZ when no one in the household is awake, I'd like to know what that is.

      The firewall's IP address is 192.168.1.1. I'm assuming 192.168.1.100 is coming from the firewall, too, since the LAN IP addresses don't start with 192.168.1. Perhaps this is a flawed assumption. If it is, it sounds like I should start blocking all calls from 192.168.1.100 until I can track down its source.

      D 1 Reply Last reply Jul 23, 2020, 1:55 PM Reply Quote 0
      • P
        provels
        last edited by Jul 23, 2020, 1:55 PM

        @November said in Why is pfSense calling CZ?:

        87.236.194.23

        Could be this CZ IP was sold/leased to someone else, maybe an ad server or such. Perhaps innocuous or perhaps you have malware. What device is 192.168.1.100?

        Peder

        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

        N 1 Reply Last reply Jul 25, 2020, 2:23 PM Reply Quote 0
        • D
          DaddyGo @November
          last edited by DaddyGo Jul 23, 2020, 2:02 PM Jul 23, 2020, 1:55 PM

          @November said in Why is pfSense calling CZ?:

          it sounds like I should start blocking all calls from 192.168.1.100

          this would be a very rough intervention 😉
          detection, debugging (if any at all), it doesn't have to be this way

          what kind of device's IP address is 192.168.1.100

          if we find out what triggers requests from the device to CZ
          you can take action..

          +++edit:
          probably some application initiates requests to this hosting provider on an intermediate network (CDN, datacenter IP, etc.)
          this is not a real location, but it uses an https port

          BTW: the request does not reach because pfBlockerNG is working

          do you hate CZ? 😁

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          N 1 Reply Last reply Jul 25, 2020, 2:25 PM Reply Quote 0
          • N
            November @provels
            last edited by Jul 25, 2020, 2:23 PM

            @provels "What device is 192.168.1.100?" is one of the root questions I'm trying to answer. Currently I'm turning off one or two devices at a time to try to track down which device it is. Any other suggestions?

            J P 2 Replies Last reply Jul 25, 2020, 2:38 PM Reply Quote 0
            • N
              November @DaddyGo
              last edited by Jul 25, 2020, 2:25 PM

              @DaddyGo , I don't hate CZ but from what I've read and from my own experience working at a global Internet company, lots of hacking starts from that area.

              D 1 Reply Last reply Jul 26, 2020, 12:49 PM Reply Quote 0
              • J
                jdeloach @November
                last edited by Jul 25, 2020, 2:38 PM

                This post is deleted!
                P 1 Reply Last reply Jul 25, 2020, 2:40 PM Reply Quote 0
                • P
                  ptt Rebel Alliance @jdeloach
                  last edited by Jul 25, 2020, 2:40 PM

                  @jdeloach said in Why is pfSense calling CZ?:

                  IP address 192.168.1.100 is the common address of most cable modems. This has always been the IP address of all cable modems that I've had in the past.

                  192.168.100.1 ;)

                  N 1 Reply Last reply Jul 25, 2020, 3:45 PM Reply Quote 1
                  • P
                    provels @November
                    last edited by provels Jul 25, 2020, 3:01 PM Jul 25, 2020, 2:55 PM

                    @November
                    Ping 192.168.1.100 then do and

                    arp -a
                    

                    to see what MAC address has 1.100 and track down the MAC.

                    PS C:\Users\Me> arp -a
                    
                    Interface: 192.168.0.20 --- 0x17
                      Internet Address      Physical Address      Type
                      192.168.0.1           00-15-5d-00-14-30     dynamic
                      192.168.0.12          00-15-5d-00-14-2c     dynamic
                      192.168.0.61          00-11-0a-54-23-14     dynamic
                      192.168.0.69          00-15-5d-00-14-4b     dynamic
                      192.168.0.71          fc-03-9f-f8-86-d8     dynamic
                      192.168.0.100         0c-41-3e-91-6e-60     dynamic
                      192.168.0.101         30-0d-43-26-00-e8     dynamic
                      192.168.0.106         00-15-5d-00-14-45     dynamic
                      192.168.0.108         00-1e-64-4d-d0-2e     dynamic
                      192.168.0.111         00-15-5d-00-14-2d     dynamic
                      192.168.0.150         30-52-cb-e7-50-71     dynamic
                      192.168.0.200         00-00-f0-a3-f3-33     dynamic
                      192.168.0.204         00-09-b0-e6-5c-b0     dynamic
                      192.168.0.255         ff-ff-ff-ff-ff-ff     static
                      224.0.0.22            01-00-5e-00-00-16     static
                      224.0.0.251           01-00-5e-00-00-fb     static
                      224.0.0.252           01-00-5e-00-00-fc     static
                      239.255.255.250       01-00-5e-7f-ff-fa     static
                    

                    Or try a

                    
                    ping -an
                    

                    and maybe it will resolve the device name.

                    PS C:\Users\Me> ping -an 192.168.0.150
                    
                    Pinging XPS13 [192.168.0.150] with 32 bytes of data:
                    Reply from 192.168.0.150: bytes=32 time=5ms TTL=128
                    Reply from 192.168.0.150: bytes=32 time=7ms TTL=128
                    Reply from 192.168.0.150: bytes=32 time=5ms TTL=128
                    Reply from 192.168.0.150: bytes=32 time=9ms TTL=128
                    

                    Peder

                    MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                    BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                    1 Reply Last reply Reply Quote 0
                    • N
                      November @ptt
                      last edited by Jul 25, 2020, 3:45 PM

                      @ptt , it turns out that 192.168.1.100 is the WAN IP address that my router is using.

                      Thanks much, everyone!

                      The question now is why my router is calling out to CZ, UA, etc.

                      P 1 Reply Last reply Jul 25, 2020, 3:51 PM Reply Quote 0
                      • P
                        provels @November
                        last edited by Jul 25, 2020, 3:51 PM

                        @November
                        Well, there are router exploits. You may want to search for your model and exploits.

                        Peder

                        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                        N 1 Reply Last reply Jul 25, 2020, 5:10 PM Reply Quote 0
                        • N
                          November @provels
                          last edited by Jul 25, 2020, 5:10 PM

                          @provels , that's definitely one of my concerns.

                          I was just made aware of https://atlas.ripe.net/landing/probes-and-anchors/. Whenever I've done a who.is on the target IP addresses, RIPE does come up. I'll try whitelisting them and seeing if that helps.

                          P 1 Reply Last reply Jul 25, 2020, 7:14 PM Reply Quote 0
                          • P
                            provels @November
                            last edited by Jul 25, 2020, 7:14 PM

                            @November
                            Maybe check here:
                            https://duckduckgo.com/?isource=infinity&iname=duckduckgo&itype=web&q=router+exploits+by+manufacturer&atb=v211-1&ia=web

                            Peder

                            MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                            BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                            1 Reply Last reply Reply Quote 0
                            • D
                              DaddyGo @November
                              last edited by Jul 26, 2020, 12:49 PM

                              @November said in Why is pfSense calling CZ?:

                              lots of hacking starts from that area.

                              Interesting..

                              CZ country next to my place of birth, but I haven't heard of them yet such as harassment, hackers, etc., I worked as a computer scientist in Brno (city CZ) for a long time and it never arose.

                              I accept your position, if you feel that way

                              Cats bury it so they can't see it!
                              (You know what I mean if you have a cat)

                              1 Reply Last reply Reply Quote 0
                              15 out of 15
                              • First post
                                15/15
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received