CentOS

Our security team has noticed some connection attempts to 193.29.187.83 from our CentOS 7 VMs being blocked by our Fortigate firewall due to its IP reputation blacklist feature. After some investigation I've found that this IP address (among others) is part of the DNS resolution of mirror.centos.org.

Therefore my question: Is 193.29.187.83 a legitimate CentOS mirror and therefore mistakenly blacklisted by Fortigate (e.g. because it's previously been used for shady activities and the same IP address has been reassigned afterwards)?
I am aware that software packages are signed and their signature is verified upon installation.

I do not know why Fortigate have blocked this ip address, you would have to ask them. According to whois it is in Romania and reverse lookups to

83.187.29.193.in-addr.arpa domain name pointer yudiz.colevismance.com.

According to https://www.centos.org/download/mirrors/ there are 16 mirrors listed in Romania and when I query all of them with host $hostname, none of them appear to resolve to that address (though that's not a reliable indicator that it doesn't as it could be geoip or round robin). I did try searching by ip address but it returns nothing.

CentOS mirrors are all on donated nodes in various ISPs that have enough bandwidth to support them. They are not run by CentOS itself. If you have evidence of malpractice taking place on a particular mirror then I suspect the best place to report it would be on the centos-mirror mailing list or in the Freenode IRC channel #centos-mirror.

mirror.centos.org machines are run by the CentOS Project, even though the server hardware and network connectivity is typically donated by a sponsor. Reverse DNS entries may not always point to centos.org names. In contrast, the mirrors listed on https://www.centos.org/download/mirrors/ are operated by their respective sponsors. Those so-called "external mirrors" are unrelated to the mirror.centos.org service.

I can confirm that 193.29.187.83 is indeed among the servers that provide mirror.centos.org, as you have found. If you go to http://193.29.187.83/ you will see "server.id 2004-09-22 15:24 0 centosy9.centos.org". centosy9.centos.org (whose DNS entry is controlled by the CentOS Project) does point to 193.29.187.83.

I would also suggest asking Fortigate about this. Maybe the IP address has been recycled from a different server that served malware. I find it unlikely that there would be something wrong with the current server serving CentOS files.

I asked about centosy9 (thanks avij) and the answer is:

[15:27:25] <Arrfab> that node was donated to us "recently"

So, yes, it's now part of mirror.centos.org and who knows what it was before.