Suspicious Traffic after Installing RockNSM

Hello all. I am extremely new to RockNSM, and have just completed my first build. I have some questions that, I’m hoping, you all can answer for me.

After installing RockNSM, my firewall started showing a lot of suspicious activity trying to leave my outside interface. The source of this traffic is my RockNSM server, which is why I’m so concerned about this. There are a lot of policy denies, based on a dynamic block policy I have configured at the FW. The denies are primarily to this IP address: 23.92.92.94. Among the suspicious IPs that are being forwarded from my gateway is 85.220.190.246. There are also five or ten IP addresses talking out on port 123, as well. I can provide more details, if needed.

I am shutting down my server for now, until someone that knows a lot more about RockNSM that I do, can hopefully shine some light on this activity. Thank you!

The 23.92.92.94 is most likely the yum cache reaching out to a mirror. That IP is a known EPEL mirror. The port 123 traffic is NTP. You can turn those things off, or point them to only use sources of your choosing so you’re not left with “mystery traffic”. I’d definitely caution you not to turn off NTP, but you could use a set endpoint, like the USNO NTP servers.

Thank you el_jeve. The 23.92.92.94 IP makes sense. I’ll have to look at my dynamic block lists, and see if the list is old, and no longer being updated. Might be the case. As far as the NTP part, I was mostly concerned about why the server was trying to hit so many different NTP servers. I’ll look into those, as well. I’ll get it set to my NTP servers of choice.

I have one last question, and that is specifically, why is RockNSM trying to talk to 85.220.190.246? My quick search last night indicated that it’s a known bad actor. Again, it was a quick search, as I was ready to go to bed, and I’ve flat not had time to look today. So I’ll look around some more, as well.

I really appreciate your response. Everything you said makes logical sense, and I feel better about things now.

What port and protocol for 85.220.190.246?

What does ss -ltp tell you?

Andy,
Please disregard. Thank you for your response, but after looking into it again (while actually awake) I realized that it was just another NTP connection. I had looked at it in the firewall, and confused that entry with another one on port 443. I don’t understand why there are so many different NTP requests, especially the one’s pointing all over the world, but that’s all it was.

Thank you all for your assistance. I really do appreciate the quick responses, and the complete lack of “gtfo newb” comments. Have a great day, all. :slight_smile: