Malicious scanning of port 631?
I have observed that one computer on my home network (192.168.1.60) is trying to access port 631 of my main computer (192.168.1.253). I'm not carrying out any printing. I would want to know if there is a security problem.
This is from /var/log/ufw.log. It's happening since August 3 2021.
Aug 30 09:57:19 skunkworks kernel: [ 3150.549098] [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:ea:b8:8b:74:e5:0b:39:e8:20:08:00 SRC=192.168.1.60 DST=192.168.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52383 DF PROTO=TCP SPT=32864 DPT=631 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 30 09:57:21 skunkworks kernel: [ 3152.832252] [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:ea:b8:8b:74:e5:0b:39:e8:20:08:00 SRC=192.168.1.60 DST=192.168.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9216 DF PROTO=TCP SPT=32866 DPT=631 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 30 09:57:22 skunkworks kernel: [ 3153.845528] [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:ea:b8:8b:74:e5:0b:39:e8:20:08:00 SRC=192.168.1.60 DST=192.168.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9217 DF PROTO=TCP SPT=32866 DPT=631 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 30 09:57:25 skunkworks kernel: [ 3156.221825] [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:ea:b8:8b:74:e5:0b:39:e8:20:08:00 SRC=192.168.1.60 DST=192.168.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38839 DF PROTO=TCP SPT=32870 DPT=631 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 30 09:57:26 skunkworks kernel: [ 3157.223484] [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:ea:b8:8b:74:e5:0b:39:e8:20:08:00 SRC=192.168.1.60 DST=192.168.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38840 DF PROTO=TCP SPT=32870 DPT=631 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 30 09:57:28 skunkworks kernel: [ 3159.735831] [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:ea:b8:8b:74:e5:0b:39:e8:20:08:00 SRC=192.168.1.60 DST=192.168.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59238 DF PROTO=TCP SPT=32874 DPT=631 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 30 09:57:29 skunkworks kernel: [ 3160.760546] [UFW BLOCK] IN=enp1s0f0 OUT= MAC=10:dd:b1:ea:b8:8b:74:e5:0b:39:e8:20:08:00 SRC=192.168.1.60 DST=192.168.1.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59239 DF PROTO=TCP SPT=32874 DPT=631 WINDOW=64240 RES=0x00 SYN URGP=0
This traffic is first observed when 192.168.1.60 boots, before any user is logged in. It also happens randomly after logging in.
Ufw blocks it. I'm not carrying out any printer activity on 192.168.1.60. It has neither local, USB, or network printers configured. 192.168.1.253 does have a shared printer, but it's behind the firewall. (It is shared in order to print from local VMs).
Does this activity indicate that 192.168.1.60 may be compromised?
Could it be that 192.168.1.60 is just trying to discover printers on the network?
Both computers are Ubuntu 20.04.3. This is the firewall of 192.168.1.253:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
224.0.0.1 DENY IN Anywhere
ff02::1 DENY IN Anywhere (v6)
Anywhere DENY OUT 224.0.0.1
Anywhere (v6) DENY OUT ff02::1
Most likely that machine is (non-maliciously) trying to discover printers on the network.
Port 631 is indeed printing/CUPS. It's possible, using cups, for one machine to "share" a printer to other machines using the same port 631.
-
It's safe to let the x.x.x.60 machine continue to look for printers. The amount of network bandwidth used is trivial.
-
Alternately, you can change the x.x.x.60 machine's CUPS settings to stop scanning.
-
If the x.x.x.60 machine does not do any printing, you can also simply stop the CUPS service on that machine. To permanently stop cups from starting at boot, see https://unix.stackexchange.com/questions/480082/how-to-disable-cups-service-on-reboot-with-systemd
sudo systemctl stop cups.service // Stop once