Anyone have this happen?
my main FreeNAS box is reaching out to 85.21.78.91:123 that tracks to Moscow.
There are no plugins/VMs installed on that box. It is running version 11.2
PfBlocker is stopping all of this traffic using GeoIP blocking.
I can’t find any data on malicious traffic for this site.
Is there any legit reason that FreeNAS should be trying to get to this site?
I have another FreeNAS box that is setup as just a destination for replication - no similar traffic
UDP port 123 is used by the network time protocol (NTP) and the simple network time protocol. Check your FreeNAS NTP server list and do a dig lookup to see what A records they point too.
Does not appear to be malicious https://www.shodan.io/host/85.21.78.91
Thanks, Tom - I should have looked up the port - that would have been a great place to start! After a few more years under your tutelage, I’ll get there!
What I have discovered is that the IP addresses reported via dig seem to change every few minutes. I’ve cycled through a few times and never come up with the IP address in question.
I guess FreeBSD.pool.ntp.org could have been pointing at that address at some point
So, to test the theory, I have disabled all of the freebsd NTP servers and am using NIST time severs instead.
I reset the pfBlocker logs and will see what happens over the next day or so.
more research - NTP pools apparently sync to servers nearby.
By default, most of my network traffic goes out over PIA VPN - using a server in NJ that for some reason is sometimes associated with IP in Germany.
No more hits since I switched the default NTP servers to US based ones.
Mystery solved.
Thanks for pointing me in the right direction!
1 Like