Howdy -
Running "etherape" after a clean boot, before running a browser or anything else, shows connections from my ISP to these IPs (same or similar with Mint and Arch):
- star-01-02-lga1.facebook.com
- 78-106-239-175.broadband.corbina.ru
- nk11p01st-courier084-bz.push.apple.com
- protected.ddos-blocker.net
- 2E6BCBAA.catv.pool.telekom.hu
- tor-exit.burratino.net
- some that only have IP numbers.
There's typically 300 or so bytes transmitted, often multiples of 62.
Any idea what they are? The best way to block them? I especially don't like the .hu and .ru ...
TIA!
Edit: I blocked some with "hosts" and everything still works fine.
Strange internet connections on start-up
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Strange internet connections on start-up
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Your data and OS are backed up....right?
Re: Strange internet connections on start-up
Bad news on one of those IP's...Flemur wrote:Howdy -
Running "etherape" after a clean boot, before running a browser or anything else, shows connections from my ISP to these IPs (same or similar with Mint and Arch):
- star-01-02-lga1.facebook.com
- 78-106-239-175.broadband.corbina.ru
- nk11p01st-courier084-bz.push.apple.com
- protected.ddos-blocker.net
- 2E6BCBAA.catv.pool.telekom.hu
- tor-exit.burratino.net
- some that only have IP numbers.
There's typically 300 or so bytes transmitted, often multiples of 62.
Any idea what they are? The best way to block them? I especially don't like the .hu and .ru ...
TIA!
Edit: I blocked some with "hosts" and everything still works fine.
I ran gufw from a terminal and set up the firewall to block all incoming, allowing only 192.168.1.0/24/tcp. I think that will block anybody from the internet from connecting to my computer. Is this assumption correct?
I'm thinking that those connections you noticed were incoming due to your not having set up a firewall. If they were outgoing, then that would be a graver problem.
Re: Strange internet connections on start-up
I remain curious about this topic, specifically whether it is enough to configure the firewall to accept only 192.168.1.1/24/tcp as incoming. Is that good enough for a basic firewall defense, or is there something else that needs to be there?
Re: Strange internet connections on start-up
Unfortunately, I'm not a security expert, so I really can't tell you how to correct this. About all I can do, is offer a few more questions, that might help you to chase this dowm.
I'm not entirely sure about this, but I think hosts.deny will only stop incoming traffic from those hosts, it will not stop any outgoing traffic from "your" host to another. You may not have stopped anything being sent outbound, only your ability to see what is coming back. I'd keep looking for a solution, if I were you.
If there is something in your box, establishing an outbound connection (virus, whatever), that connection should be maintained until your box no longer needs it. So, you really need to determine what is causing the connection to be established in the first place.
You did not specify if Mint and Arch are on the same box, I assume they are. If they are, I'll assume they are loaded into different partitions (I don't think they'd work otherwise). So my next question would be, where is /home located? Do you share the same /home between both distros on the same box? If so, you may discover some nefarious programs somewhere in /home.(same or similar with Mint and Arch)
Again you didn't specify, so I'll assume you're referring to hosts.denyEdit: I blocked some with "hosts" and everything still works fine.
I'm not entirely sure about this, but I think hosts.deny will only stop incoming traffic from those hosts, it will not stop any outgoing traffic from "your" host to another. You may not have stopped anything being sent outbound, only your ability to see what is coming back. I'd keep looking for a solution, if I were you.
You did not address any UDP connections, so you haven't blocked everything. Also, I think that once a connection is established outbound, by your box, it will maintain that connection, even though others have been blocked. So in otherwords, no your assumtion is not correct. If you had restricted everything to just "your" network, the 192.168.1.x, you would not have been able to make your second post for a follow up question.and set up the firewall to block all incoming, allowing only 192.168.1.0/24/tcp. I think that will block anybody from the internet from connecting to my computer. Is this assumption correct?
If there is something in your box, establishing an outbound connection (virus, whatever), that connection should be maintained until your box no longer needs it. So, you really need to determine what is causing the connection to be established in the first place.