Firewall logs point to unraid for unauthorized connecitons?


HH0718

Recommended Posts

I apologize if this is not the right place to post this.

I have recently enabled IPS/DPS on my ubiquiti UDM Pro and have been trying to learn what some of the alerts are to better understand NetSec.

 

It seems that there is something trying to connect outside of my network and when it fails it tries again and again and again. After a few days I get constant messages like the following.

 

Quote

EVT_conntrack_full

 

I searched Ubiquiti's forums and it's because something is trying to create a bunch of tcp sockets but not closing them.

Cool, one step closer to understanding what's up. 

So I checked to see where the sockets were coming from and it's from the UnRaid server.

Now that I know what device is doing it I need to find out what docker image/app is causing this so I may find out what it is trying to do or delete it if it's a security risk.

Going to each docker app that is active and checking the logs have done nothing for me.

I'd love to find out what is causing my network to die and reset every few days because of this but I don't know how to move forward.

Can anyone point me in the right direction?

 

Here's a line from the firewall log:

 

Quote

ipv4     2 tcp      6 2108 ESTABLISHED src=172.16.0.2 dst=46.246.35.25 sport=24244 dport=25166 packets=1 bytes=552 [UNREPLIED] src=46.246.35.25 dst=72.76. sport=25166 dport=24244 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2108 ESTABLISHED src=172.16.0.2 dst=46.246.39.10 sport=49258 dport=13279 packets=1 bytes=552 [UNREPLIED] src=46.246.39.10 dst=72.76. sport=13279 dport=49258 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2098 ESTABLISHED src=172.16.0.2 dst=46.246.59.84 sport=34867 dport=8738 packets=1 bytes=552 [UNREPLIED] src=46.246.59.84 dst=72.76. sport=8738 dport=34867 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2067 ESTABLISHED src=172.16.0.2 dst=46.246.57.51 sport=48731 dport=56158 packets=1 bytes=552 [UNREPLIED] src=46.246.57.51 dst=72.76. sport=56158 dport=48731 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2057 ESTABLISHED src=172.16.0.2 dst=46.246.50.47 sport=60879 dport=21185 packets=1 bytes=552 [UNREPLIED] src=46.246.50.47 dst=72.76. sport=21185 dport=60879 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2057 ESTABLISHED src=172.16.0.2 dst=46.246.47.237 sport=34484 dport=15122 packets=1 bytes=552 [UNREPLIED] src=46.246.47.237 dst=72.76. sport=15122 dport=34484 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2057 ESTABLISHED src=172.16.0.2 dst=46.246.58.159 sport=24209 dport=54543 packets=1 bytes=552 [UNREPLIED] src=46.246.58.159 dst=72.76. sport=54543 dport=24209 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2057 ESTABLISHED src=172.16.0.2 dst=46.246.60.205 sport=53127 dport=55602 packets=1 bytes=552 [UNREPLIED] src=46.246.60.205 dst=72.76. sport=55602 dport=53127 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2057 ESTABLISHED src=172.16.0.2 dst=46.246.32.155 sport=5192 dport=25679 packets=1 bytes=552 [UNREPLIED] src=46.246.32.155 dst=72.76. sport=25679 dport=5192 packets=0 bytes=0 mark=0 use=2

ipv4     2 tcp      6 2047 ESTABLISHED src=172.16.0.2 dst=46.246.54.63 sport=16261 dport=913 packets=1 bytes=552 [UNREPLIED] src=46.246.54.63 dst=72.76. sport=913 dport=16261 packets=0 bytes=0 mark=0 use=2

This basically tells me that there is treachery afoot. And I don't like it.

Thanks for any advice.

Link to comment

As in my UnRaid server is trying to communicate with a VPN?

I don't have VPNs on my server setup unless it's through an app like plex, radarr, sonarr, nginxproxymanager, nzbget, ombi, nextcloud, phpadmin, and tautulli.

Thanks for the help, if you have any other advice please feel free to share it with me.

Link to comment

Well, my unraid server is on 172.16.0.2 and i'm not certain if some of the apps are considered as 172.16.0.2 with outbound network traffic as there are a few apps that have their own IP address. 

But that' gave me something to look into. Thanks for your feedback.

 

Edit: 

Non of the ports listed in the log map to any of my apps in docker.

Edited by HH0718
Supplemental information
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.