1

I noticed that in one of my server's /var/log/ufw.log this morning that the firewall had blocked the IP address 91.189.91.23 from accessing port 80. This occurred 9 times within about a minute and a half, around 6:34, which interestingly is when logrotate goes about its daily business (not sure if that's relevant).

A reverse DNS lookup listed that IP as economy.canonical.com.

I don't expect my external router to let any traffic in on port 80, and would be concerned about an intrusion in my network. Is this something internal or a cause for concern?

Arronical
  • 19,653
  • 18
  • 73
  • 128
  • 1
    Same question, other subdomain: http://askubuntu.com/questions/338431/why-do-ubuntu-servers-connect-to-likho-canonical-com80 – Rinzwind Nov 10 '15 at 12:27
  • 6:25 is when the daily cron runs, 6:47 is when the weekly cron runs. Since logrotate is run by cron, I'd say something's messed up. – muru Nov 10 '15 at 14:54
  • Weird @muru syslog shows `run-parts` starting `/etc/cron.daily` at 6:25 but the entries are split between `ufw.log` and `ufw.log.1` at 6:35. maybe it's taking a while to get there, as there are all the other tasks in `/etc/cron.daily` to get through? – Arronical Nov 10 '15 at 15:22
  • That's possible. So, what do you have in `/etc/cron.daily`? Also, what IP does `popcon.ubuntu.com` point to for you? – muru Nov 10 '15 at 15:24
  • Nothing extra in /etc/cron.daily, only 1 extra file in /etc/logrotate.d (though it rotates and compresses 3 logs, one of which is fairly large). `host popcon.ubuntu.com` gives `91.189.94.141` @muru – Arronical Nov 10 '15 at 15:46

0 Answers0