I regularly get 'device is accessing malicious site <some IP>' messages for my Ubuntu 20.04.2 LTS box. Obviously Firewalla is just looking at this from the outside, but I can't seem to find traces of this activity on the machine itself.
Now I wonder:
- What's so malicious about this particular activity? It would be really nice if Firewalla could tell why a certain IP is on its block list. This might give a hint as to the source of the call in question.
- I've not been able to catch the outgoing request that's being blocked, on the Ubuntu side. I must admit that I have more of a Windows than a Linux background. I found some suggestions on the web to use netstat or tcpdump, but neither have been able to show the communication Firewalla is catching. As such it's very hard to pinpoint exactly where these outgoing calls are coming from, any suggestions on how to approach this?
- If I had to guess I am most suspicious of my NodeRED docker container used for my home automation; some of the devices communicate with their manufacturer's cloud/servers and NodeRED would be communicating with those as well to work with the devices, however this would not necessarily be suspicious activity and blocking it could cause problems in my automation. I'm also not seeing those devices being blocked, but I could imagine that communication to run through NodeRED exclusively. I may also simply have made a wrong guess.
Thanks for any help and suggestions!
Please sign in to leave a comment.