ISP reports constant security threats

Muldoon · December 13, 2020, 11:12pm

Originally I had OctoPi installed (latest version) and received notifications from my ISP (Cox.com) that they 'blocked a malicious IP) from a variety of sources. Since I had it installed for several years, I thought I misconfigured something. So I started from scratch.

This Time I installed OctoPrint on the latest version of Raspi (December 2nd 2020, * Kernel version: 5.4) and fully updated and upgraded it. I changed the name of the device, password, and even changed the local IP to a different one. Everything else is stock.

About 30 minutes after rebooting it, I got 39 more alerts from my ISP. None of my other computers are getting hit.

Is there anything I can do to help fix this? I'm more than willing to start again if I need to do so.

jneilliii · December 15, 2020, 1:06am

You sure you have no other device within your network that is doing this and it's just coincidence? Any details provided by cox explaining the destinations that the malicious IP was trying to reach? Have you enabled port forwarding of any kind to your device for remote access away from your network?

Muldoon · December 14, 2020, 2:29am

The ISP doesn't give hardly any information...

I did have port forwarding on though. I've deleted the rule and will leave it on for a couple of hours. Hopefully that was the cause of the issue!

jneilliii · December 14, 2020, 2:54am

Yeah, those alerts look like your ISP has prevented those known bad sites from accessing your network. If the port forwarding wasn't enabled then they wouldn't be trying to access your server. That's why it's recommended to not port forward at all and use other solutions for remote access like vpn or the ngrok plugin.

Muldoon · December 15, 2020, 1:08am

I haven't had any more alerts since I removed the port forward.

Problem solved!