My router has started flagging my FlightAware RPi as periodically reaching out to a potential malware site with IP address 103.52.52.23. A reverse lookup came back to ns1.ficustelecom.com. I can’t see any reason for FA to reach out to that company or its name server so I wanted to see if this is executed or if there is an issue. The router blocks access so if this is something FA relies on I’ll have to make an exception.
Note: My FA has been running for years. I’m currently on 3.7.1 (SD card). My router uses data from Google and Threat Intelligence to flag sites.
Not sure precisely what you mean. The outbound request from FA is blocked by the router so there can be no response. If that server tried to contact my network it would simply be dropped.
I should mention I updated my router software a couple of days ago so FA might have been doing this for some time if the update is catching something it used to miss.
Quite unfortunately the router doesn’t report that. It runs two packages. One triggers based on packet inspection and matches signatures from sites like CINS. That will provide details on source and destination ports and packet contents. The other package takes actions based on IPs (so is lightweight since it doesn’t have to do packet inspection). The latter is what is flagging this site. The packet inspector has not flagged this in the past - which could mean there is no threat signature for it or that it has just started happening.
If it isn’t breaking FA I’m happy to just leave it as a blocked site and see what happens. If it is for NTP I imagine Debian is configured to fallback to other sources so it will keep the time current.
FWIW I found a database of threats which added this IP in February. Apparently it is the (apparent?) source of some SSH brute force attacks quite recently. Some details here.. No threat to me but this may be why the router has started blocking it.