Why does my UTM have this site in the logs every day?

Some lines from the actual log may help.

At this stage I can only get odd lines

Ian

Thanks for posting that.

So this is reported in the firewall (packet filter) log.  Honestly I wouldn't lose any sleep over it.  At the end of a typical day I'll see several thousand entries in the log from all sorts of ip's trying to connect to various ports using various protocols.  Some of these are from CDN's like Akamai or amazon, others are probably malicious connections.  The firewall is doing its job by blocking and reporting these attempts.

There is software out there that will parse your log and generate reports/trends, but I don't believe this capability is built in to utm itself.

My advice is to just ignore it.  If it bothers you enough, you can set up a firewall rule to drop for this specific ip, or subnet (say 77.72.82.0/24) then leave the logging box unchecked.

Prior to getting UTM I knew there were outside attempts in, I didn't realize the scope until reviewing the logs.  The old wifi router didn't keep very good logs.

Thanks for posting that.

So this is reported in the firewall (packet filter) log.  Honestly I wouldn't lose any sleep over it.  At the end of a typical day I'll see several thousand entries in the log from all sorts of ip's trying to connect to various ports using various protocols.  Some of these are from CDN's like Akamai or amazon, others are probably malicious connections.  The firewall is doing its job by blocking and reporting these attempts.

There is software out there that will parse your log and generate reports/trends, but I don't believe this capability is built in to utm itself.

My advice is to just ignore it.  If it bothers you enough, you can set up a firewall rule to drop for this specific ip, or subnet (say 77.72.82.0/24) then leave the logging box unchecked.

Prior to getting UTM I knew there were outside attempts in, I didn't realize the scope until reviewing the logs.  The old wifi router didn't keep very good logs.

Hi Jay,

I think you missed the point, maybe I didn't make myself clear. I understand about the various attempts to access people's security devices, just this one site always appears no matter what IP address my ISP assigns me. It is only in the UTM, from limited investigation it does not appear in my XG.

I have reduced the most of the other stuff by implementing additional country blocking.

Ian

In that case it could be something on your local lan triggering the connection.

It may not even be something connecting directly to that host but some other which somehow triggers that ip to attempt to connect back to you.

Hi Jay,

to test your theory I have moved all devices on to my XG, so I have about 25 active devices (IP) addresses using one 3.8mbs/660kbs for the next 26 hours. Normally I have the load spread across two approx 3.5mbs links.

Ian

Hi Jay,

I ran the UTM without any internal connections for 34 hours so both sides of the end of day are covered.

Please see the daily report below.

There has been one significant outcome, the number of RU sites has dropped and so has the RU ntp sites.

Next trick will be to disable dudes auto update and restart the UTM so it picks ups new external IP.

Ian

Disabled dydns, but did not get a new IP, so this morning powered utm and modem off for about 30 minutes and still received the same IP address.

Waiting until tomorrow and the following day's reports.

Ian

Assuming you're on cable, you need to change the wan mac to get a new ip.

ADSL2+, normally a restart of the modem will get a new IP4 address, but for the last couple of days the same address is assigned.

Ian

The site still features very large in the daily reports.

Ian