Results 1 to 8 of 8
  1. #1
    Untanglit
    Join Date
    Feb 2021
    Posts
    24

    Default NTP Malware and Suspicious??

    I am having trouble with pfsense behind untangle getting its NTP
    One of the problems is apparently pool.ntp.org has some malware according to untangle??
    172.20.0.2 123 199.233.236.226 123
    ntpmalware.png

    Then all other requests are similar, but just labelled as suspicious? This is just the built in pfsense NTP client, why is it flagging??
    2021-03-24 01:42:15 pm UDP [17] 172.20.0.2 123 50.205.244.110 123
    2021-03-24 01:41:27 pm UDP [17] 172.20.0.2 123 66.151.147.38 123
    2021-03-24 01:40:23 pm UDP [17] 172.20.0.2 123 98.191.213.12 123
    ntpsus.png

    Also worth noting some of the sessions are getting flagged as low risk, moderate, or trustworthy and are not blocked. Yet pfsense is only getting these different IPs from the DNS of ntp.pool.org

  2. #2
    Untangler
    Join Date
    Mar 2018
    Location
    Toronto, Ontario
    Posts
    53

    Default

    short answer: ignore it or add some rules to allow it not to flag.

    Long answer: used to have threat prevention and not avail. anymore due to only home license basic. Anyway, if i remember it right, some ntp servers in the edu domain could host multiple services. Found out that one ntp pool server is hosting ntp and acting as tor exit node at the same time.

    Hope this helps.

  3. #3
    Untanglit
    Join Date
    Feb 2021
    Posts
    24

    Default

    That makes sense.
    I manually changed all my network ntp clients over to NIST NTP IPs. Added bypass rules for those specific IPs, works good enough.

    Did not know about the tor exit node stuff, makes sense that untangle would flag the IPs

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,691

    Default

    With modern day CDN usage, multiple services can be using the same external IP. This makes IP reputation likely to have false positives. Services like Threat Prevention and IPS are definitely not hands free protection.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,366

    Default

    Try BlueChris post at https://forums.untangle.com/threat-p...r-country.html . No more false positives in my boxes
    The world is divided into 10 kinds of people, who know binary and those not

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,163

    Default

    Threat Prevention in a home environment is a bad idea for me... so people aren't missing much.

    The module does two things consistently here.

    1.) Blocks Firefox from doing DoH, because the stupid thing (Firefox) refuses to behave as configured. (This is good)
    2.) Blocks random people from connecting to any of the game servers that are run here at random intervals.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Quote Originally Posted by sky-knight View Post
    Threat Prevention in a home environment is a bad idea for me... so people aren't missing much.
    There are some other niche scenarios where it can be useful:

    3.) If you're using Plex with Sonos you must have a port forward from the Internet; as *.plex.tv is difficult to manage with static pass/block rules, we can use Firewall|Application Control with Threat Prevention conditions to filter inbound connections to the internal Plex server (thinking about it, this would be a good usage for all those chinese IoT gizmos, too).

    If anyone is wondering in what rack we should put those Apps, I discovered by accident when I started to use Untangle. Port forwarded traffic to internal servers that have a proper username (and thus may be in proper racks for outbound traffic) can be controlled in unauthenticated racks; e.g. in my Policy Manager rules I have one that puts all traffic in such a rack where the condition is:

    Schermata 2021-03-26 alle 02.22.00.png

    then in that Inbound rack I will use the Firewall App with one Plex rule:

    Schermata 2021-03-26 alle 02.18.58.png

    In such a rule the TP condition is used against the Client Address as the home Plex server is the server in this case. It works like a charm, because with Plex we cannot use more stringent rules as the client using our port forward is not really under our control. It might work for those temporary public servers we're sometimes setting up.
    Last edited by docfuz; 03-25-2021 at 06:27 PM.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,163

    Default

    I tried that for my Plex, I recently had reason to want to use it from outside the house... stuck in a hospital.

    Anyway, until I bypassed it I couldn't stream because the hospital's wifi IP was "high risk".
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2