I work in a company where cyber security is kind of a big deal, and one of the tools I use a lot is a host based intrusion detection system called OSSEC. Well, the other day I decided to also install OSSEC on my private email server to see what kind of threats and intrusion attempts are happening on a daily basis. Needless to say, things have been interesting.
One thing that caught my eye this morning though is an SSL error message that showed up in the Apache logs that said "rejecting client initiated renegotiation". See below:
Okay, a simple SSL error. So what? No harm no foul right? Well, there is something kind of strange with this one. The IP address in question is 188.8.131.52, and when I do an IP address WHOIS lookup I see it belongs to a company out of Utah called Venafi, Inc.
Their website says that they are in essence an SSL company, and Wikipedia describes them as a privately held cyber security company that develops software to secure and protect cryptographic keys and digital certificates. The problem is that I don't do business with them, so they really have no reason to be scoping out my private email server.
Another thing that made me wonder about this company is that this isn't the first time I've seen their IP addresses show up in intrusion detection alerts. I've also seen their IP addresses in alerts for some of my day job company's web servers as well, and we don't do business with Venafi either.
Maybe it's my conspiracy mind at play here, but you know who else has a big data center in Utah that is designed to hack and store data about everyone on the Internet? That's right, the NSA has a huge data center in Utah called the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center.
Could Venafi be a front for the NSA? It makes me wonder...
Anyway, for now I am blocking the entire 184.108.40.206/22 range and I will continue to block ranges of suspicious IP's. There is no reason for Venafi to be connecting to my servers at all, even if they really are the NSA.
Have you seen these guys trying to connect to your systems? What are you doing about it? Do you do business with them? Is this something I shouldn't worry about? Let me know in the comments.
UPDATE: Venafi sent me the following tweet in reply to this post:
@bpowmedia Thanks for your tweet, please follow this link for more information on our TrustNet Scanning https://t.co/OcUh63qPLT— Venafi (@Venafi) April 27, 2017
The link to their TrustNet Scanner talks about how they passively scan the certifications of every IP address on the internet to build a global certificate repository that they make available to the public. I suppose that's plausible... I'm still not convinced they aren't a front for the NSA though!
Update #2: Is the CIA now trying to break into my email server?