Dear Community,
on my relay the network light is constantly flickering. So does the light of my fiberglas connection. In my fritzbox no relevant data is seen to be used. Is this normal or should I be concerned about this?
Thx
broncheolus
WDYM by “my relay”? What machine do you have it installed on? Is there nothing else except for the Chatmail relay? And what do you consider “relevant data”?
Anyway, I doubt that there is anything to be concerned with.
You could look into it with tcpdump and tshark if you’re curious.
You can try to run netstat or tcpdump -w file.pcap, then copy the .pcap to your machine and open it with wireshark to see what is going on.
It could be that it is simply incoming packets from the internet, e.g. bots scanning the ports.
Looking at Problem installing chat relay [certificate for shared IPv4 address space] - #3 by broncheolus, you have opened port 22 to the outside internet. Probably better close it and only SSH from your local network if you can. Also make sure to use key authentication on SSH and disable password authentication in /etc/ssh/sshd_config
Otherwise it is constantly flickering because of the bots trying to bruteforce the SSH password.
Chatmail relay itself is not sending anything other than outgoing mails normally.
(post deleted by author)
It’s just a RaspPi for only ChatMail.
I already removed forwarding of port 22 inside of fritzbox and I have already changed config of ssh to prohibit-password. I will check with your commands if I can find out more. Cheers.
1 Like
I’ve done as told and let tcpdump record a short period of net traffic. I must admit I cannot read much out of it due to my incompetence but maybe for someone of you it’s trivial. (hope so) I made a screenshot of what I think looks promising because .pcap is not supported to be uploaded.
Connections to port 443 are likely scrapers fetching the web page.
These are indexers of i.e. Google scanning a web page (that is not there in my case)?
I’m surprised by all those STUN requests repeating, though. Could you please check over a longer interval whether it is happening continuously and whether it’s always these IP addresses? Hopefully someone is not scanning the world jumping through you.
1 Like
Will do so. Will be back
I mean, sure, some of your users will check in from time to time as they use real time P2P within DC, but seeing it repeated every second sounds fishy. At a minimum, it could be a bug in DC/CM
IPs like 45.133.39.112 (Turkey) and 51.68.204.103 (UK, OVH hoster) are likely not your users, looks like some bot IPs. Why they send STUN Binding Request is a question, could be that this is somehow related to you using FritzBox and having an IP-based telephony on the same network. Found something that looks related: https://old.reddit.com/r/AskNetsec/comments/7ubvsp/computer_sending_and_receiving_stun_binding/
Could be that 10.0.0.90 (your raspberry pi IP) is configured in FritzBox somewhere as an IP phone?
These are the IPs I found at the last tcpdump. They were constantly doing the binding request.
57.129.47.100
45.133.39.187
45.133.39.19
My phone at home uses fiber connection. If there’s some kind of IP phone setting for the RP, I don’t know but I will check.
Oh, now I better understand those ICMP port unreachable errors around it. The attackers might be trying to open and forward each of your ports to hack it.
If your security is tight, you shouldn’t worry. However, you may want to look into the fail2ban tool as it was created for just this use case.