The following list of ambient displays in MTV2 are attempting to send ARD packets (to port 3483/tcp) of some IPs in the OpenVPN pool. All this traffic is being rejected, and is creating thousands of DENY log messages from fw1.mtv2. Can you folks take a look and shut down these processes on the ambient displays? Thanks very much.
Corsica is owned by Potch. We just make sure the the screens are still on the wall and power up. The Application is not ours at this time.
I will look into this immediately, but you did not provide a list.
Oops my bad... was still 1/2 asleep when I wrote this bug... Here's the list: the first column is the source IP, the second column is the dest IP... 10.252.24.32 10.22.248.22 10.252.24.32 10.22.248.38 10.252.24.33 10.22.248.22 10.252.24.33 10.22.248.38 10.252.24.34 10.22.248.22 10.252.24.34 10.22.248.38 10.252.24.36 10.22.248.22 10.252.24.36 10.22.248.38 10.252.24.37 10.22.248.22 10.252.24.37 10.22.248.38 10.252.24.38 10.22.248.22 10.252.24.38 10.22.248.38 10.252.24.39 10.22.248.22 10.252.24.39 10.22.248.38 10.252.24.40 10.22.248.22 10.252.24.40 10.22.248.38 10.252.24.41 10.22.248.22 10.252.24.41 10.22.248.38 10.252.26.111 10.22.248.22 10.252.26.111 10.22.249.86 10.252.28.211 10.22.249.86 Thanks!
The only modification made to the ambient screen boxes was the installation of Firefox. There is no other strange software on them to my knowledge.
We use Screen Sharing to administrate the screens- Is this unexpected behavior for the Remote Desktop client?
I have no idea. Thing is, 24 x 7 x 365 these source IPs are trying to send traffic to the dest IPs on port 3283/tcp. I suspect that screen sharing is the issue, but I'm not sure why the display itself would be trying to contact IPs connected to the OpenVPN. Thanks in advance for your help.
To provide a little more info, here's how many deny logs have been created in since midnight last night: [firstname.lastname@example.org ~]$ grep 3283 mtv2.out | grep 10.252.24. | wc -l 220070 That's about 30% of all of the deny logs from mtv2.
From yesterday's DENY logs from fw1.mtv2: Total DENY log messages: wc -l mtv2.out 1639135 mtv2.out Number of those log messages that are from the ambient displays trying to talk to port 3283 on openvpn clients connected to the openvpn system in SCL3: 438504 Can we please fix this? Thank you.
Current Status: We think that someone used ARD to administer the screens VPN, causing them to try to connect back for additional command. Someone with ARD access would need to look into it, possibly Guillermo (though he is on world tour).
Hey Guillermo -- can you take a look at this when you have a minute? Thanks.
Well that was a fun one. Was able to find the issue. All of the ambient macs had been configured by an ARD machine to have that ARD machine be their task server. So when that person got onto the VPN, the machines would try to send it all of their backlog of reports. I've turned this off on all the machines. Let me know if we are still seeing this traffic.
Callipygae is my iMac at home. What did you turn off on the ambient machines? The reporting? I'm worried that if it's something other than the reporting, if I connect again from home it will restart the problem. The messages in the deny log are presumably because Callipygae is unreachable when I don't have the VPN connected from home. AFAIK there's no reason to have reporting turned on for any of the Ambient or AirMo Mac Minis.
I turned of the reporting on each machine. I don't believe there was anything else, but I can run a report on them again from the office to see if they are set to talk to anything at this point.