mirror.centos.org - 193.29.187.83 - Fortigate IP reputation blacklist

Support for security such as Firewalls and securing linux
Post Reply
dlandtwing
Posts: 1
Joined: 2021/05/14 12:46:09

mirror.centos.org - 193.29.187.83 - Fortigate IP reputation blacklist

Post by dlandtwing » 2021/05/14 12:59:29

Our security team has noticed some connection attempts to 193.29.187.83 from our CentOS 7 VMs being blocked by our Fortigate firewall due to its IP reputation blacklist feature. After some investigation I've found that this IP address (among others) is part of the DNS resolution of mirror.centos.org.

Therefore my question: Is 193.29.187.83 a legitimate CentOS mirror and therefore mistakenly blacklisted by Fortigate (e.g. because it's previously been used for shady activities and the same IP address has been reassigned afterwards)?
I am aware that software packages are signed and their signature is verified upon installation.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: mirror.centos.org - 193.29.187.83 - Fortigate IP reputation blacklist

Post by TrevorH » 2021/05/14 14:47:34

I do not know why Fortigate have blocked this ip address, you would have to ask them. According to whois it is in Romania and reverse lookups to

83.187.29.193.in-addr.arpa domain name pointer yudiz.colevismance.com.

According to https://www.centos.org/download/mirrors/ there are 16 mirrors listed in Romania and when I query all of them with host $hostname, none of them appear to resolve to that address (though that's not a reliable indicator that it doesn't as it could be geoip or round robin). I did try searching by ip address but it returns nothing.

CentOS mirrors are all on donated nodes in various ISPs that have enough bandwidth to support them. They are not run by CentOS itself. If you have evidence of malpractice taking place on a particular mirror then I suspect the best place to report it would be on the centos-mirror mailing list or in the Freenode IRC channel #centos-mirror.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: mirror.centos.org - 193.29.187.83 - Fortigate IP reputation blacklist

Post by avij » 2021/05/17 08:57:49

mirror.centos.org machines are run by the CentOS Project, even though the server hardware and network connectivity is typically donated by a sponsor. Reverse DNS entries may not always point to centos.org names. In contrast, the mirrors listed on https://www.centos.org/download/mirrors/ are operated by their respective sponsors. Those so-called "external mirrors" are unrelated to the mirror.centos.org service.

I can confirm that 193.29.187.83 is indeed among the servers that provide mirror.centos.org, as you have found. If you go to http://193.29.187.83/ you will see "server.id 2004-09-22 15:24 0 centosy9.centos.org". centosy9.centos.org (whose DNS entry is controlled by the CentOS Project) does point to 193.29.187.83.

I would also suggest asking Fortigate about this. Maybe the IP address has been recycled from a different server that served malware. I find it unlikely that there would be something wrong with the current server serving CentOS files.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: mirror.centos.org - 193.29.187.83 - Fortigate IP reputation blacklist

Post by TrevorH » 2021/05/17 14:29:33

I asked about centosy9 (thanks avij) and the answer is:

[15:27:25] <Arrfab> that node was donated to us "recently"

So, yes, it's now part of mirror.centos.org and who knows what it was before.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply