Outgoing activity blocked, how to further investigate?

Comments

4 comments

  • Avatar
    Firewalla

    The first thing is always tapping into the alarm and see the details.  There you will see where this IP is at, what protocol it is. Firewalla fires up the alarms based on the site's reputation. For example, one of the most common Linux malware alarms is related to NTP. (port 123) 

    NTP is a way for Linux (and many other things) to sync time. And due to how the protocol works, it will pool many servers (thousands). And at times, some of the IP addresses from these servers are with lower reputation scores. In this case, we just alarm, and you can just block it (or ignore it). 

     

    0
    Comment actions Permalink
  • Avatar
    Niels Rietkerk

    I don't remember seeing that port. However, even if that's it the questions remain the same: could more detail be given on the reason an IP is on the block list & any suggestions for figuring out where such communication comes from?

    In any case, some examples:

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    6881 usually used for BitTorrent... And it is highly likely some of the sites hosting may have a low reputation.(or may be even dangerous).

    0
    Comment actions Permalink
  • Avatar
    Niels Rietkerk

    It was not actively doing anything with BitTorrent at this time, but yes, that sounds plausible for these warnings as indeed there is a bittorrent client on it and maybe it communicates even when inactive. I can't check if older warnings were on different ports, though I thought they were. I'll come back if/when I have examples on different ports.

    0
    Comment actions Permalink

Please sign in to leave a comment.