My Pi Zero with 3.7.1 piaware image installed was caught by my router for an attempt to connect to a blacklisted IP-adress, located in India. The blacklist says the IP is blocked due to attacks on SSH, but I have no details on exactly what the pi tried to do and what was blocked. All I know is that a connection attempt to this IP-number was prevented.
How do I go about finding out more what my pi is doing and if this indeed is malicious?
(I am not experienced with linux but know my way around solaris, so tips and suggestions doesn’t need to be on a beginners level)
Take it up with FR24 support. Most likely they will do nothing.
Connecting to the localized pools instead of just using the default pools which will give you an ntp servers close to you is stupid.
It’s also against the pool policy.
Anyway enough ranting.
It fools the computer into thinking those domains are the computer itself.
So it just talks to the locally running ntp you installed above.
(which you can configure and by default will connnect to local servers / debian pool servers)
Although I am not aware of my fr24 RPI going off to blacklisted ntp servers,
I updated /etc/hosts with your suggested fix to “short circuit” the fr24 hard
coded ntp server list. I used the fr24 log file /var/log/fr24feed/fr24feed.log
to see the time delta between the lines “Synchronizing time via NTP” and “Time
synchronized correctly…” Before the update to /etc/hosts, the delta was large
and variable. After the delta is about 0 seconds.
Pre update: (“Time synchronized…” truncated for clarity)
2019-08-28 15:37:18 | [time][i]Synchronizing time via NTP
2019-08-28 15:37:34 | [time][i]Time synchronized correctly,
2019-08-28 15:47:34 | [time][i]Synchronizing time via NTP
2019-08-28 15:47:41 | [time][i]Time synchronized correctly,
2019-08-28 15:57:41 | [time][i]Synchronizing time via NTP
2019-08-28 15:58:07 | [time][i]Time synchronized correctly,
2019-08-28 16:08:07 | [time][i]Synchronizing time via NTP
2019-08-28 16:08:34 | [time][i]Time synchronized correctly,
2019-08-28 16:18:34 | [time][i]Synchronizing time via NTP
2019-08-28 16:19:16 | [time][i]Time synchronized correctly,
Well to ring alarm bells upon any and all traffic to certain IPs is kinda ridiculous anyway.
Typical snake oil product, not even providing details like port and protocol.
Information is only useful to give people the feeling “they are protected” so they’ll buy the snake oil again.
If some malicious software would already be trying to connect from your RPi to the blacklisted server, you’d already be compromised.
I suppose it’s nice to know that you have a device on the network which might be compromised, but the reliability of that detection is highly suspect.