ambient displays in MTV2 are trying to send ARD packets to openvpn clients

RESOLVED FIXED

Status

Infrastructure & Operations
AVOps: Corsica
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: dcurado, Assigned: dcurado)

Tracking

Details

(Assignee)

Description

3 years ago
The following list of ambient displays in MTV2 are attempting to send ARD packets (to port 3483/tcp) of some IPs in the OpenVPN pool.  
All this traffic is being rejected, and is creating thousands of DENY log messages from fw1.mtv2.

Can you folks take a look and shut down these processes on the ambient displays?

Thanks very much.

Comment 1

3 years ago
Corsica is owned by Potch.  We just make sure the the screens are still on the wall and power up.  The Application is not ours at this time.
Assignee: nobody → mclaypotch

Comment 2

3 years ago
I will look into this immediately, but you did not provide a list.
(Assignee)

Comment 3

3 years ago
Oops my bad... was still 1/2 asleep when I wrote this bug...

Here's the list:  the first column is the source IP, the second column is the dest IP...

10.252.24.32 10.22.248.22
10.252.24.32 10.22.248.38
10.252.24.33 10.22.248.22
10.252.24.33 10.22.248.38
10.252.24.34 10.22.248.22
10.252.24.34 10.22.248.38
10.252.24.36 10.22.248.22
10.252.24.36 10.22.248.38
10.252.24.37 10.22.248.22
10.252.24.37 10.22.248.38
10.252.24.38 10.22.248.22
10.252.24.38 10.22.248.38
10.252.24.39 10.22.248.22
10.252.24.39 10.22.248.38
10.252.24.40 10.22.248.22
10.252.24.40 10.22.248.38
10.252.24.41 10.22.248.22
10.252.24.41 10.22.248.38
10.252.26.111 10.22.248.22
10.252.26.111 10.22.249.86
10.252.28.211 10.22.249.86

Thanks!

Comment 4

3 years ago
The only modification made to the ambient screen boxes was the installation of Firefox. There is no other strange software on them to my knowledge.

Comment 5

3 years ago
We use Screen Sharing to administrate the screens- Is this unexpected behavior for the Remote Desktop client?
(Assignee)

Comment 6

3 years ago
I have no idea.
Thing is, 24 x 7 x 365 these source IPs are trying to send traffic to the dest IPs on port 3283/tcp.
I suspect that screen sharing is the issue, but I'm not sure why the display itself would be
trying to contact IPs connected to the OpenVPN.  
Thanks in advance for your help.
(Assignee)

Comment 7

3 years ago
To provide a little more info, here's how many deny logs have been created in since midnight last night:

[dcurado@syslog1.private.scl3 ~]$ grep 3283 mtv2.out | grep 10.252.24. | wc -l
220070

That's about 30% of all of the deny logs from mtv2.
(Assignee)

Comment 8

3 years ago
From yesterday's DENY logs from fw1.mtv2:
Total DENY log messages:
    wc -l mtv2.out
    1639135 mtv2.out

Number of those log messages that are from the ambient displays trying to talk
to port 3283 on openvpn clients connected to the openvpn system in SCL3:

    438504

Can we please fix this?  
Thank you.
Flags: needinfo?(mclaypotch)

Comment 9

3 years ago
Current Status:

We think that someone used ARD to administer the screens VPN, causing them to try to connect back for additional command. Someone with ARD access would need to look into it, possibly Guillermo (though he is on world tour).
Flags: needinfo?(mclaypotch)
(Assignee)

Comment 10

2 years ago
Hey Guillermo -- can you take a look at this when you have a minute?
Thanks.
Status: NEW → ASSIGNED
Flags: needinfo?(ghuerta)
(Assignee)

Updated

2 years ago
Assignee: mclaypotch → dcurado
(Assignee)

Updated

2 years ago
QA Contact: rcarroll → jbarnell
Well that was a fun one.  Was able to find the issue.  All of the ambient macs had been configured by an ARD machine to have that ARD machine be their task server.  So when that person got onto the VPN, the machines would try to send it all of their backlog of reports.  I've turned this off on all the machines.  Let me know if we are still seeing this traffic.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(ghuerta)
Resolution: --- → FIXED
Callipygae is my iMac at home.   What did you turn off on the ambient machines?   The reporting?

I'm worried that if it's something other than the reporting, if I connect again from home it will restart the problem.   

The messages in the deny log are presumably because Callipygae is unreachable when I don't have the VPN connected from home.

AFAIK there's no reason to have reporting turned on for any of the Ambient or AirMo Mac Minis.
Flags: needinfo?(ghuerta)
I turned of the reporting on each machine.  I don't believe there was anything else, but I can run a report on them again from the office to see if they are set to talk to anything at this point.
Flags: needinfo?(ghuerta)
Blocks: 1190698
Product: Audio/Visual Infrastructure → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.