I work in a place with a big legacy IPv4 network that doesn't use NAT, which has its perks. Recently, I noticed some weird traffic on one of our servers from IPs that aren't part of our network, and UFW is blocking them from SSH access. A while back, I opened a ticket with our network team, who told me the firewall rules seemed fine and they'd investigate. Fast forward several months and I checked again because the traffic is back. I tried adding my home IP to the server's firewall to see if I could SSH into it, but nothing happened—no response at all. I did a packet capture and it looks like my home IP isn't even reaching the server, while these strange IPs (which seem like they could be from bots) are getting through. I asked the network team if this is part of a penetration test, but they said they'd only do that when scheduled. I plan to follow up with them more firmly about this if it keeps happening. I'm just curious—how can this be happening? Any ideas on how I can recreate this issue to show them the problem?
3 Answers
Interesting! It sounds like your workplace has some unique networking challenges. One possibility is that there might be a misconfiguration on the VPN client side that’s impacting your connection. In my previous job, we had a Class B /16 setup too, and those can get complex. It’s great that you have visibility, though — if those shifty IPs are hitting your server, it could indicate a vulnerability, so I'd be proactive about this. Have you talked to the networks team again?
I checked out those IPs, and wow, one’s from Sydney and the other from Brussels! Good to know UFW is doing its job blocking those connections. But you're right; if they can reach your server, they might find a vulnerability eventually. In my opinion, blocking access from outside your country (unless necessary for business) could be a solid move. Remind your networking team—the more you push for security now, the better it’ll be long-term!
It might be worth looking into where those IPs are coming from, especially if you work in a university setting that may route those addresses. You might try to replicate the access from a different network, like eduroam, to see if the same issue happens. Just ensure you document everything so you have evidence when talking to the network team.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures