Attack on my server but its not exposed

[Smokie]

Hi,
So I have my server and it’s not exposed to the outside world, However I got this notification from my UniFi router that an attempt was blocked. See screenshot. Would this be something I tried to kick off or something like that? I thought if its not exposed to the outside world then everything would be ok. Has anyone experienced anything similar?

Thanks

 

[Kris Moore]

That is interesting. The 192.168.1.11 is your TrueNAS I assume? Do you have any NAT rules or things setup to forward to port 33395? Also do you have a service / plugin running on that port on your TrueNAS?

 

[sretalla]

Are you running any apps?

Apps often open outbound connections to services on the Internet that may allow traffic to pass back to the app... VPNs also.

 

[Smokie]

I have Heimdall Nextcloud and syncthing running in Jails. Syncthing I only installed yesterday and haven’t actually opened it. No ports forwarded etc.

It was Blocked anyway but makes you wonder

 

[NugentS]

You must have something open. The 172 address knows nothing about the internal address scheme you are using, end even if they did they cannot route to it as any attempt to route to 192.168.1.0/24 would be blocked by internet routers

Unless the 172.105.whatever is in fact your IP address - in which case you probably have something misconfigured

Looking at this I would say that somehow you have a port open on your firewall forwarding to 192.168.1.11:33395 either deliberately or via that service (normally windows, along with a firewall option) that I can't remember the name of that automatically opens ports to local apps if allowed to do so by the firewall.

Something that I always turn off and its annoying me that I can't remember the name

 

[winnielinnie]

Maybe you were using Tor (whether directly or indirectly, such as with the Brave Browser), and you had at one point inadvertently tried to connect to your TrueNAS server / app?

 

[Smokie]

Thanks for all the suggestions guys. I don’t have any port forwarding setup and I am using the Unifi dream machine as my router, I have all threat management configured and Tor is in the categories of been blocked. I’m going to have a look through some logs tonight and see if it has happened before and try to narrow it down.

Possibly a NAT thing I’m thinking? That would open and close ports as needed. But again I thought I had that disabled on the home LAN but enabled on the kids VLAN for gaming.