FreeNAS box trying to reach IP in russia

#1

Anyone have this happen?
my main FreeNAS box is reaching out to 85.21.78.91:123 that tracks to Moscow.
There are no plugins/VMs installed on that box. It is running version 11.2
PfBlocker is stopping all of this traffic using GeoIP blocking.
I can’t find any data on malicious traffic for this site.

Is there any legit reason that FreeNAS should be trying to get to this site?

I have another FreeNAS box that is setup as just a destination for replication - no similar traffic

#2

UDP port 123 is used by the network time protocol (NTP) and the simple network time protocol. Check your FreeNAS NTP server list and do a dig lookup to see what A records they point too.
Does not appear to be malicious https://www.shodan.io/host/85.21.78.91

image

#3

Thanks, Tom - I should have looked up the port - that would have been a great place to start! After a few more years under your tutelage, I’ll get there!

What I have discovered is that the IP addresses reported via dig seem to change every few minutes. I’ve cycled through a few times and never come up with the IP address in question.

I guess FreeBSD.pool.ntp.org could have been pointing at that address at some point

So, to test the theory, I have disabled all of the freebsd NTP servers and am using NIST time severs instead.

I reset the pfBlocker logs and will see what happens over the next day or so.

#4

more research - NTP pools apparently sync to servers nearby.
By default, most of my network traffic goes out over PIA VPN - using a server in NJ that for some reason is sometimes associated with IP in Germany.

No more hits since I switched the default NTP servers to US based ones.

Mystery solved.

Thanks for pointing me in the right direction!

1 Like