What is the reason for the appearance of 45.32.148.212 & 44.217.106.106 in the system logs?

Webmin
1
SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.3
Webmin version 2.105
Virtualmin version 7.8.2
Firewall version ConfigServer Security & Firewall 14.20
Kernel and CPU Linux 5.15.0-1051-realtime on x86_64
Authentic theme version 21.09.5

Hi to all,
First, I want to thank the developers of webmin/virtualmin for this amazing control panel.
So, I have a server with webmin/virtualmin for the last 2.5 years and every time I face a problem I solve it either by looking at the forum or by searching the internet.
For the following question, however, I did not find an answer anywhere.
Can you please tell me why in the system logs I find the following lines about 10 times every 20 minutes?

Nov 26 01:13:01 my.domain.name kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=My_server_IP DST=44.217.106.106 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=20567 PROTO=UDP SPT=55250 DPT=53 LEN=65 UID=112 GID=120 
Nov 26 01:13:01 my.domain.name kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=My_server_IP DST=45.76.69.64 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=38472 PROTO=UDP SPT=48934 DPT=53 LEN=68 UID=112 GID=120

The only information I have found on these two IPs is that they probably belong to Webmin and have some connection to Amazon.
I tried blocking them with the firewall, but they keep appearing in the logs.

vultr.webmin.com: 45.76.69.64
webmail.webmin.com: 44.217.106.106

Is there any need to be enabled in webmin/virtualmin for some communication?
Or are they unnecessary? Can I stop them completely?

Thanks in advance for any help

2

Have you configured Webmin download repositories instead of, or in addition to the Virtualmin repos? Do you have any additional modules installed not from the package manager (and instead from the Webmin wbm repo)?

3

Wow! thank you for the quick response!

My Package Repositories (I think it’s the virtualmin defaults + some of Ubuntu Pro + Lynis):

jammy-security/main/restricted http://security.ubuntu.com/ubuntu
jammy-security/universe http://security.ubuntu.com/ubuntu
jammy-security/multiverse http://security.ubuntu.com/ubuntu
jammy/main/restricted http://archive.ubuntu.com/ubuntu
jammy-updates/main/restricted http://archive.ubuntu.com/ubuntu
jammy/universe http://archive.ubuntu.com/ubuntu
jammy-updates/universe http://archive.ubuntu.com/ubuntu
jammy/multiverse http://archive.ubuntu.com/ubuntu
jammy-updates/multiverse http://archive.ubuntu.com/ubuntu
jammy-backports/main/restricted/universe/multiverse http://archive.ubuntu.com/ubuntu
stable/main https://packages.cisofy.com/community/lynis/deb/
jammy/main https://esm.ubuntu.com/cis/ubuntu
jammy-apps-security/main https://esm.ubuntu.com/apps/ubuntu
jammy-apps-updates/main https://esm.ubuntu.com/apps/ubuntu
jammy-infra-security/main https://esm.ubuntu.com/infra/ubuntu
jammy-infra-updates/main https://esm.ubuntu.com/infra/ubuntu

I just found out what Webmin wbm repo (.wbm) is from this page: Webmin Administrator's Cookbook.
I didn’t know what this repository was called.
So yes, I have installed some modules from: Webmin > Webmin Configuration > Webmin Modules in the past, but I don’t remember which ones.
I have installed ConfigServer Security & Firewall via the Webmin wbm repo for sure.
This may be the problem.

5

It is not a “problem”. It is an explanation for why you see those IPs.

6

Yes you are right. I think you steered me very well. If it’s a module from the Webmin wbm repo then it’s CSF. I will look at all the files CSF has and come back to the post to thank you and close it. :grin:

7

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.