Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Dizzy Reprobate

Pages1
#1
General Discussion / Re: NTP to dubious domain - 85.199.214.99 - server1.quickdrivingtestcancellations.ne
March 10, 2025, 03:02:02 PM
Quote from: meyergru on March 10, 2025, 02:51:27 PMI would not be too concerned about it. The domain quickdrivingtestcancellations.net is not registered currently. There is only a reverse DNS entry still pointing to it from the IP.

Maybe the IP was transferred with a rack-mounted server to the new owner. The company owning the IP ("Single Mode Networks Ltd") is a hoster with somewhat bad reputation, whereas the domain leontp.com belongs to a company Uputronics making NTP clocks.


Ahhh. insightful and educational response. Thank you. My biggest concern at the time was the volume of requests which were going to that NTP server. Almost every minute or multiple per minute.
#2
General Discussion / Re: NTP to dubious domain - 85.199.214.99 - server1.quickdrivingtestcancellations.ne
March 10, 2025, 03:00:40 PM
Quote from: Greg_E on March 10, 2025, 02:25:51 PMWhat device is requesting that server? I would certainly regard that as suspicious if I hadn't set a device to use that server.

It's the NTP service on the firewall itself making these connections. It was set to use "0.opnsense.pool.ntp.org
 and the "dubious" domain/address is part of that pool.
#3
General Discussion / Re: NTP to dubious domain - 85.199.214.99 - server1.quickdrivingtestcancellations.ne
March 10, 2025, 02:47:14 PM
The domain is unusual "quickdrivingtestcancellations. Why would a driving test cancellation service volunteer as an NTP server? Maybe they've errantly become an NTP server and got added into the pool?
#4
General Discussion / NTP to dubious domain - 85.199.214.99 - server1.quickdrivingtestcancellations.ne
March 10, 2025, 02:09:26 PM
I had NTP set to prefer 0.opnsense.pool.ntp.org

Noticed in firewall live log repeated hits to 85.199.214.99:123 - server1.quickdrivingtestcancellations.net:123 (NTP)

I have low confidence in this domain/IP.

Have set to not prefer any *.opnsense.pool.ntp.org and instead added cloudflares NTP server.

Not sure of exact nature of the suspicions but on various threat intel the IP and domain is arousing suspicion.
#5
25.1, 25.4 Production Series / Re: netmap_transmit error
February 24, 2025, 11:23:24 AM
Quote from: awptechnologies on February 24, 2025, 01:29:19 AMAre you using hyperscan in intrusion detection?

Also are these packets bypassing intrusion detection when buffer is full? what is the actual reason they are happening? Slow hardware? Bad Settings?

I started to experience this one the latest update or at least it's noticeably worse causing my LAN interface to hang.

My hardware:
CPU: (4 cores, 1.50GHz)
RAM: 16GB (16947675136 bytes)
Cores: 4 (no Hyper-Threading)
NICs: Realtek Gigabit (re0 for WAN, re1 for LAN)
Current CPU Frequency: 1500MHz
Available Free Memory Pages: 2,356,511

I've tried these tweaks incrementally increasing them and rebooting to test. Any high load with IPS/IDS enabled with hyperscan/aho and aho ken steele, results in the LAN interface hanging.


THEN!!! I realised because I'm a dumb***.... when I re-imaged my FW, I forgot to reinstall the Realtek driver plugin :D

Not sure if OP might be having same/similar issue with missing NIC plugin?
#6
General Discussion / Re: Logging question
February 23, 2025, 08:17:03 PM
 /var/log/system/*
 /var/log/system/latest.log
#7
25.1, 25.4 Production Series / Re: netmap_transmit error
February 23, 2025, 08:05:00 PM
Having same issue.

I tried these, seems less frequent but not resolved.

Original values
dev.netmap.buf_num: 163840
dev.netmap.ring_num: 200
dev.netmap.buf_size=2048

New Values
sysctl dev.netmap.buf_num=200000
sysctl dev.netmap.ring_num=256
sysctl dev.netmap.buf_size=4096
Pages1