<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I manually went through the logs for a 10 minute window around the time mentioned (I assumed that your server is EST. I adjusted 3 hrs for Phoenix.) That’s a lot of logs. All but the audit logs were timestamped. I wasn’t able to figure out the audit log wrt to date/time.<div class=""><br class=""></div><div class="">That said, I didn’t find any unusual activity.</div><div class=""><br class=""></div><div class="">I don’t know why the crosswire server reached out to the xiphos server.</div><div class=""><br class=""></div><div class="">DM<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Feb 18, 2018, at 12:29 PM, DM Smith <<a href="mailto:dmsmith@crosswire.org" class="">dmsmith@crosswire.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Looking. Don’t know enough about networking though…<div class=""><br class=""></div><div class=""><a href="http://mail.crosswire.org/" class="">mail.crosswire.org</a> is an alias for <a href="http://www.crosswire.org/" class="">www.crosswire.org</a> and <a href="http://crosswire.org/" class="">crosswire.org</a>. It may have nothing to do with mail.</div><div class=""><br class=""></div><div class="">Personally, I think we always need to be concerned about the possibility of breaches. Thanks for the report.</div><div class=""><br class=""></div><div class="">DM <br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Feb 18, 2018, at 9:09 AM, Karl Kleinpaste <<a href="mailto:karl@kleinpaste.org" class="">karl@kleinpaste.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="content-type" content="text/html; charset=utf-8" class="">
<div bgcolor="#FFFFFF" text="#000000" class="">
<font face="FreeSerif" class="">I'm experimenting with several aspects of my
networking setups, both at home and elsewhere, in particular with
regard to what folks perceive as <a class="moz-txt-link-abbreviated" href="ftp://ftp.xiphos.org/">ftp.xiphos.org</a>. </font><font face="FreeSerif" class=""><font face="FreeSerif" class="">Now and then, </font>I
turn on firewall rejection logging for a few hours or a day, to
see what the next day's reports tell me about attempted attacks
from outside. Imagine my surprise in looking through the system
event log email, and finding:<br class="">
<br class="">
</font><font face="FreeSerif" class=""><font face="FreeSerif" class="">1
<a href="http://mail.crosswire.org/" class="">mail.crosswire.org</a> pinkchip LOGGED 9928/tcp<br class="">
1 <a href="http://mail.crosswire.org/" class="">mail.crosswire.org</a> pinkchip LOGGED 12712/tcp<br class="">
1 <a href="http://mail.crosswire.org/" class="">mail.crosswire.org</a> pinkchip LOGGED 26315/tcp<br class="">
1 <a href="http://mail.crosswire.org/" class="">mail.crosswire.org</a> pinkchip LOGGED 59779/tcp</font><br class="">
<br class="">
In logwatch email:<br class="">
</font><br class="">
<font face="FreeSerif" class=""><font face="FreeSerif" class="">From 209.250.6.230 - 4
packets to tcp(9928,12712,26315,59779) <br class="">
</font><br class="">
For some reason, <a href="http://mail.crosswire.org/" class="">mail.crosswire.org</a> sent a few utterly random TCP
SYN packets my way around 5am yesterday.<br class="">
<br class="">
Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=29712 DF
PROTO=TCP SPT=47138 DPT=9928 WINDOW=14600 RES=0x00 SYN URGP=0 <br class="">
Feb 17 05:21:07 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=25996 DF
PROTO=TCP SPT=55280 DPT=59779 WINDOW=14600 RES=0x00 SYN URGP=0 <br class="">
Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=49165 DF
PROTO=TCP SPT=38550 DPT=12712 WINDOW=14600 RES=0x00 SYN URGP=0 <br class="">
Feb 17 05:21:08 pinkchip kernel: IN=wlp2s0 OUT=
MAC=40:25:c2:64:77:e0:82:b2:34:47:92:bf:08:00 SRC=209.250.6.230
DST=10.1.10.201 LEN=60 TOS=0x00 PREC=0x20 TTL=57 ID=31602 DF
PROTO=TCP SPT=50726 DPT=26315 WINDOW=14600 RES=0x00 SYN URGP=0 <br class="">
<br class="">
The choice of ports is peculiar.<br class="">
<br class="">
Do we need to be concerned that <a href="http://mail.crosswire.org/" class="">mail.crosswire.org</a> has been
compromised? Or am I missing something?<br class="">
</font>
</div>
_______________________________________________<br class="">server-admins mailing list<br class=""><a href="mailto:server-admins@crosswire.org" class="">server-admins@crosswire.org</a><br class=""><a href="http://www.crosswire.org/mailman/listinfo/server-admins" class="">http://www.crosswire.org/mailman/listinfo/server-admins</a><br class=""></div></blockquote></div><br class=""></div></div>_______________________________________________<br class="">server-admins mailing list<br class=""><a href="mailto:server-admins@crosswire.org" class="">server-admins@crosswire.org</a><br class="">http://www.crosswire.org/mailman/listinfo/server-admins<br class=""></div></blockquote></div><br class=""></div></body></html>