This message is flooding my syslog, how to find were it comes from?Problems allowing outgoing multicast in ufwWhy is ufw logging 'BLOCK' messages regarding a port for which ufw is configured to 'ALLOW' connections?Apache Timeout (Problem loading page) on localhostsyslog error message eating up my HD with wireless messageWhat does this terminal message mean?From where comes /run/resolvconf/interface/eth0.dhclient fileUFW setup for OpenVPN serverHow to find what's dumping to syslog?What's blocking public access to Ubuntu web server?UFW blocking upnp port mapping
Where to place an artificial gland in the human body?
Memory capability and powers of 2
Why is the return type for ftell not fpos_t?
Historicity doubted by Romans
Determine if a triangle is equilateral, isosceles, or scalene
how to add 1 milliseconds on a datetime string?
How can I tell if there was a power cut while I was out?
Film where a boy turns into a princess
Grid/table with lots of buttons
How did C64 games handle music during gameplay?
High income, sudden windfall
Are glider winch launches rarer in the USA than in the rest of the world? Why?
Can GPL and BSD licensed applications be used for government work?
Is the 2-Category of groupoids locally presentable?
Invert Some Switches on a Switchboard
How may I shorten this shell script?
Will LSST make a significant increase in the rate of astronomical event alerts?
Can two figures have the same area, perimeter, and same number of segments have different shape?
Would it be a good idea to memorize relative interval positions on guitar?
Protected custom settings as a parameter in an @AuraEnabled method causes error
Inadvertently nuked my disk permission structure - why?
What is the purpose of this "red room" in Stranger Things?
What should I say when a company asks you why someone (a friend) who was fired left?
What is a Union Word™?
This message is flooding my syslog, how to find were it comes from?
Problems allowing outgoing multicast in ufwWhy is ufw logging 'BLOCK' messages regarding a port for which ufw is configured to 'ALLOW' connections?Apache Timeout (Problem loading page) on localhostsyslog error message eating up my HD with wireless messageWhat does this terminal message mean?From where comes /run/resolvconf/interface/eth0.dhclient fileUFW setup for OpenVPN serverHow to find what's dumping to syslog?What's blocking public access to Ubuntu web server?UFW blocking upnp port mapping
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
When I run dmesg this comes up every second or so:
[22661.447946] [UFW BLOCK] IN=eth0 OUT= MAC=ee:54:32:37:94:5f:f0:4b:3a:4f:80:30:08:00 SRC=35.162.106.154 DST=104.248.41.4 LEN=40 TOS=0x00 PREC=0x00 TTL=37 ID=52549 DF PROTO=TCP SPT=25 DPT=50616 WINDOW=0 RES=0x00 RST URGP=0
How can I trace what is causing this message?
networking
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
add a comment |
When I run dmesg this comes up every second or so:
[22661.447946] [UFW BLOCK] IN=eth0 OUT= MAC=ee:54:32:37:94:5f:f0:4b:3a:4f:80:30:08:00 SRC=35.162.106.154 DST=104.248.41.4 LEN=40 TOS=0x00 PREC=0x00 TTL=37 ID=52549 DF PROTO=TCP SPT=25 DPT=50616 WINDOW=0 RES=0x00 RST URGP=0
How can I trace what is causing this message?
networking
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
add a comment |
When I run dmesg this comes up every second or so:
[22661.447946] [UFW BLOCK] IN=eth0 OUT= MAC=ee:54:32:37:94:5f:f0:4b:3a:4f:80:30:08:00 SRC=35.162.106.154 DST=104.248.41.4 LEN=40 TOS=0x00 PREC=0x00 TTL=37 ID=52549 DF PROTO=TCP SPT=25 DPT=50616 WINDOW=0 RES=0x00 RST URGP=0
How can I trace what is causing this message?
networking
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
When I run dmesg this comes up every second or so:
[22661.447946] [UFW BLOCK] IN=eth0 OUT= MAC=ee:54:32:37:94:5f:f0:4b:3a:4f:80:30:08:00 SRC=35.162.106.154 DST=104.248.41.4 LEN=40 TOS=0x00 PREC=0x00 TTL=37 ID=52549 DF PROTO=TCP SPT=25 DPT=50616 WINDOW=0 RES=0x00 RST URGP=0
How can I trace what is causing this message?
networking
networking
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
edited 11 hours ago
Eliah Kagan
86.9k22 gold badges243 silver badges383 bronze badges
86.9k22 gold badges243 silver badges383 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
asked 11 hours ago
peterretiefpeterretief
9006 silver badges9 bronze badges
9006 silver badges9 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The messages stems from UFW, the "uncomplicated firewall" and it tells you that someone
- from
SRC=35.162.106.154 - tried to connect to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and that UFW successfully has
BLOCKed that attempt.
According to this site
the source address 35.162.106.154 is some Amazon machine (probably an AWS).
According to this site
the port 50616 may be used for Xsan Filesystem Access.
So it's an attempt from IP=35.162.106.154 to access your files. Quite normal
and nothing to be really worried about because that's what firewalls are for:
rejecting such attempts.
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
It seems the attempted connection is from an amazon account, port 25 is a mail port should I report this or just ignore it? Spamming my logs
– peterretief
11 hours ago
4
@peterretief you can block it at your router; then you won't see it. But it might be wise to report this to your ISP.
– Rinzwind
11 hours ago
add a comment |
The existing answer is correct in its technical analysis of the firewall log entry, but it's missing one point that makes the conclusion incorrect. The packet
- Is a
RST(reset) packet - from
SRC=35.162.106.154 - to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and has been
BLOCKed by UFW.
Port 25 (the source port) is commonly used for email. Port 50616 is in the ephemeral port range, meaning there's no consistent user for this port. A TCP "reset" packet can be sent in response to a number of unexpected situations, such as data arriving after a connection has been closed, or data being sent without first establishing a connection.
35.162.106.154 reverse-resolves to cxr.mx.a.cloudfilter.net, a domain used by the CloudMark email filtering service.
Your computer, or someone pretending to be your computer, is sending data to one of CloudMark's servers. The data is arriving unexpectedly, and the server is responding with a RST to ask the sending computer to stop. Given that the firewall is dropping the RST rather than passing it through to some application, the data that's causing the RST to be sent isn't coming from your computer. Instead, you're probably seeing backscatter from a denial-of-service attack, where the attacker is sending out floods of packets with forged "from" addresses in an attempt to knock CloudMark's mail servers offline (perhaps to make spamming more effective).
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1160962%2fthis-message-is-flooding-my-syslog-how-to-find-were-it-comes-from%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The messages stems from UFW, the "uncomplicated firewall" and it tells you that someone
- from
SRC=35.162.106.154 - tried to connect to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and that UFW successfully has
BLOCKed that attempt.
According to this site
the source address 35.162.106.154 is some Amazon machine (probably an AWS).
According to this site
the port 50616 may be used for Xsan Filesystem Access.
So it's an attempt from IP=35.162.106.154 to access your files. Quite normal
and nothing to be really worried about because that's what firewalls are for:
rejecting such attempts.
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
It seems the attempted connection is from an amazon account, port 25 is a mail port should I report this or just ignore it? Spamming my logs
– peterretief
11 hours ago
4
@peterretief you can block it at your router; then you won't see it. But it might be wise to report this to your ISP.
– Rinzwind
11 hours ago
add a comment |
The messages stems from UFW, the "uncomplicated firewall" and it tells you that someone
- from
SRC=35.162.106.154 - tried to connect to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and that UFW successfully has
BLOCKed that attempt.
According to this site
the source address 35.162.106.154 is some Amazon machine (probably an AWS).
According to this site
the port 50616 may be used for Xsan Filesystem Access.
So it's an attempt from IP=35.162.106.154 to access your files. Quite normal
and nothing to be really worried about because that's what firewalls are for:
rejecting such attempts.
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
It seems the attempted connection is from an amazon account, port 25 is a mail port should I report this or just ignore it? Spamming my logs
– peterretief
11 hours ago
4
@peterretief you can block it at your router; then you won't see it. But it might be wise to report this to your ISP.
– Rinzwind
11 hours ago
add a comment |
The messages stems from UFW, the "uncomplicated firewall" and it tells you that someone
- from
SRC=35.162.106.154 - tried to connect to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and that UFW successfully has
BLOCKed that attempt.
According to this site
the source address 35.162.106.154 is some Amazon machine (probably an AWS).
According to this site
the port 50616 may be used for Xsan Filesystem Access.
So it's an attempt from IP=35.162.106.154 to access your files. Quite normal
and nothing to be really worried about because that's what firewalls are for:
rejecting such attempts.
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
The messages stems from UFW, the "uncomplicated firewall" and it tells you that someone
- from
SRC=35.162.106.154 - tried to connect to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and that UFW successfully has
BLOCKed that attempt.
According to this site
the source address 35.162.106.154 is some Amazon machine (probably an AWS).
According to this site
the port 50616 may be used for Xsan Filesystem Access.
So it's an attempt from IP=35.162.106.154 to access your files. Quite normal
and nothing to be really worried about because that's what firewalls are for:
rejecting such attempts.
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
edited 11 hours ago
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
answered 11 hours ago
PerlDuckPerlDuck
9,0701 gold badge17 silver badges43 bronze badges
9,0701 gold badge17 silver badges43 bronze badges
It seems the attempted connection is from an amazon account, port 25 is a mail port should I report this or just ignore it? Spamming my logs
– peterretief
11 hours ago
4
@peterretief you can block it at your router; then you won't see it. But it might be wise to report this to your ISP.
– Rinzwind
11 hours ago
add a comment |
It seems the attempted connection is from an amazon account, port 25 is a mail port should I report this or just ignore it? Spamming my logs
– peterretief
11 hours ago
4
@peterretief you can block it at your router; then you won't see it. But it might be wise to report this to your ISP.
– Rinzwind
11 hours ago
It seems the attempted connection is from an amazon account, port 25 is a mail port should I report this or just ignore it? Spamming my logs
– peterretief
11 hours ago
It seems the attempted connection is from an amazon account, port 25 is a mail port should I report this or just ignore it? Spamming my logs
– peterretief
11 hours ago
4
4
@peterretief you can block it at your router; then you won't see it. But it might be wise to report this to your ISP.
– Rinzwind
11 hours ago
@peterretief you can block it at your router; then you won't see it. But it might be wise to report this to your ISP.
– Rinzwind
11 hours ago
add a comment |
The existing answer is correct in its technical analysis of the firewall log entry, but it's missing one point that makes the conclusion incorrect. The packet
- Is a
RST(reset) packet - from
SRC=35.162.106.154 - to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and has been
BLOCKed by UFW.
Port 25 (the source port) is commonly used for email. Port 50616 is in the ephemeral port range, meaning there's no consistent user for this port. A TCP "reset" packet can be sent in response to a number of unexpected situations, such as data arriving after a connection has been closed, or data being sent without first establishing a connection.
35.162.106.154 reverse-resolves to cxr.mx.a.cloudfilter.net, a domain used by the CloudMark email filtering service.
Your computer, or someone pretending to be your computer, is sending data to one of CloudMark's servers. The data is arriving unexpectedly, and the server is responding with a RST to ask the sending computer to stop. Given that the firewall is dropping the RST rather than passing it through to some application, the data that's causing the RST to be sent isn't coming from your computer. Instead, you're probably seeing backscatter from a denial-of-service attack, where the attacker is sending out floods of packets with forged "from" addresses in an attempt to knock CloudMark's mail servers offline (perhaps to make spamming more effective).
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
add a comment |
The existing answer is correct in its technical analysis of the firewall log entry, but it's missing one point that makes the conclusion incorrect. The packet
- Is a
RST(reset) packet - from
SRC=35.162.106.154 - to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and has been
BLOCKed by UFW.
Port 25 (the source port) is commonly used for email. Port 50616 is in the ephemeral port range, meaning there's no consistent user for this port. A TCP "reset" packet can be sent in response to a number of unexpected situations, such as data arriving after a connection has been closed, or data being sent without first establishing a connection.
35.162.106.154 reverse-resolves to cxr.mx.a.cloudfilter.net, a domain used by the CloudMark email filtering service.
Your computer, or someone pretending to be your computer, is sending data to one of CloudMark's servers. The data is arriving unexpectedly, and the server is responding with a RST to ask the sending computer to stop. Given that the firewall is dropping the RST rather than passing it through to some application, the data that's causing the RST to be sent isn't coming from your computer. Instead, you're probably seeing backscatter from a denial-of-service attack, where the attacker is sending out floods of packets with forged "from" addresses in an attempt to knock CloudMark's mail servers offline (perhaps to make spamming more effective).
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
add a comment |
The existing answer is correct in its technical analysis of the firewall log entry, but it's missing one point that makes the conclusion incorrect. The packet
- Is a
RST(reset) packet - from
SRC=35.162.106.154 - to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and has been
BLOCKed by UFW.
Port 25 (the source port) is commonly used for email. Port 50616 is in the ephemeral port range, meaning there's no consistent user for this port. A TCP "reset" packet can be sent in response to a number of unexpected situations, such as data arriving after a connection has been closed, or data being sent without first establishing a connection.
35.162.106.154 reverse-resolves to cxr.mx.a.cloudfilter.net, a domain used by the CloudMark email filtering service.
Your computer, or someone pretending to be your computer, is sending data to one of CloudMark's servers. The data is arriving unexpectedly, and the server is responding with a RST to ask the sending computer to stop. Given that the firewall is dropping the RST rather than passing it through to some application, the data that's causing the RST to be sent isn't coming from your computer. Instead, you're probably seeing backscatter from a denial-of-service attack, where the attacker is sending out floods of packets with forged "from" addresses in an attempt to knock CloudMark's mail servers offline (perhaps to make spamming more effective).
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
The existing answer is correct in its technical analysis of the firewall log entry, but it's missing one point that makes the conclusion incorrect. The packet
- Is a
RST(reset) packet - from
SRC=35.162.106.154 - to your host at
DST=104.248.41.4 - via
TCP - from his port
SPT=25 - to your port
DPT=50616 - and has been
BLOCKed by UFW.
Port 25 (the source port) is commonly used for email. Port 50616 is in the ephemeral port range, meaning there's no consistent user for this port. A TCP "reset" packet can be sent in response to a number of unexpected situations, such as data arriving after a connection has been closed, or data being sent without first establishing a connection.
35.162.106.154 reverse-resolves to cxr.mx.a.cloudfilter.net, a domain used by the CloudMark email filtering service.
Your computer, or someone pretending to be your computer, is sending data to one of CloudMark's servers. The data is arriving unexpectedly, and the server is responding with a RST to ask the sending computer to stop. Given that the firewall is dropping the RST rather than passing it through to some application, the data that's causing the RST to be sent isn't coming from your computer. Instead, you're probably seeing backscatter from a denial-of-service attack, where the attacker is sending out floods of packets with forged "from" addresses in an attempt to knock CloudMark's mail servers offline (perhaps to make spamming more effective).
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
answered 2 hours ago
MarkMark
5563 silver badges10 bronze badges
5563 silver badges10 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1160962%2fthis-message-is-flooding-my-syslog-how-to-find-were-it-comes-from%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
