Re: Debian 12 - IPv4 blocked without fail2ban & co
Hello,
On Thu, Sep 07, 2023 at 12:20:18PM +0200, Romain wrote:
> With -n (sometimes it stops at hop 7, sometimes 9):
> └─# mtr -nr 54.38.38.159 -4
> Start: 2023-09-07T08:17:12+0000
> HOST: rpi4 Loss% Snt Last Avg Best Wrst StDev
> 1.|-- 192.168.0.1 0.0% 10 1.1 0.9 0.5 1.3 0.3
> 2.|-- 80.10.239.9 0.0% 10 3.2 3.3 2.3 5.3 0.9
> 3.|-- 193.253.80.138 0.0% 10 4.5 4.0 2.2 6.0 1.2
> 4.|-- 193.252.98.94 0.0% 10 3.4 4.3 3.1 12.2 2.8
> 5.|-- 193.252.98.101 0.0% 10 3.5 3.4 2.9 3.6 0.2
> 6.|-- 91.121.131.193 0.0% 10 4.0 12.4 3.7 82.6 24.7
> 7.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
> 8.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
> 9.|-- 192.168.0.2 90.0% 10 3461. 3461. 3461. 3461. 0.0
To me this suggests that the ICMP Time Exceeded packet is arriving
with source address 192.168.0.2, which I think means it is being
sent to you by your own ISP.
The way mtr works is to send an ICMP Echo Request packet to
54.38.38.159 with TTl set to 1 and see where the ICMP Time Exceeded
reply comes from, in this case 192.168.0.1. So it knows 192.168.0.1
is first hope. Then it does it again with TTL=2 and gets a reply
from 80.10.239.9. And so on.
So here when it does TTL=9 it gets a reply back from 192.168.0.2.
While it is possible that a string of providers are somehow routing
a packet that says it is from 192.168.0.2 back to you, really it is
most likely that this packet came from your own network or the thing
it is immediately connected to.
You may want to confirm with tcpdump that you receive a packet in on
your internet interface with source address 192.168.0.2.
In summary, I don't think it's OVH. I think it is your ISP or your
home router.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: