Linux Mint Forums

[Flemur]

Howdy -

Running "etherape" after a clean boot, before running a browser or anything else, shows connections from my ISP to these IPs (same or similar with Mint and Arch):

- star-01-02-lga1.facebook.com
- 78-106-239-175.broadband.corbina.ru
- nk11p01st-courier084-bz.push.apple.com
- protected.ddos-blocker.net
- 2E6BCBAA.catv.pool.telekom.hu
- tor-exit.burratino.net
- some that only have IP numbers.

There's typically 300 or so bytes transmitted, often multiples of 62.

Any idea what they are? The best way to block them? I especially don't like the .hu and .ru ...

TIA!

Edit: I blocked some with "hosts" and everything still works fine.

[igor83]

Howdy -

Running "etherape" after a clean boot, before running a browser or anything else, shows connections from my ISP to these IPs (same or similar with Mint and Arch):

- star-01-02-lga1.facebook.com
- 78-106-239-175.broadband.corbina.ru
- nk11p01st-courier084-bz.push.apple.com
- protected.ddos-blocker.net
- 2E6BCBAA.catv.pool.telekom.hu
- tor-exit.burratino.net
- some that only have IP numbers.

There's typically 300 or so bytes transmitted, often multiples of 62.

Any idea what they are? The best way to block them? I especially don't like the .hu and .ru ...

TIA!

Edit: I blocked some with "hosts" and everything still works fine.

Bad news on one of those IP's...

I ran gufw from a terminal and set up the firewall to block all incoming, allowing only 192.168.1.0/24/tcp. I think that will block anybody from the internet from connecting to my computer. Is this assumption correct?
I'm thinking that those connections you noticed were incoming due to your not having set up a firewall. If they were outgoing, then that would be a graver problem.

[igor83]

I remain curious about this topic, specifically whether it is enough to configure the firewall to accept only 192.168.1.1/24/tcp as incoming. Is that good enough for a basic firewall defense, or is there something else that needs to be there?

[billmc]

Unfortunately, I'm not a security expert, so I really can't tell you how to correct this. About all I can do, is offer a few more questions, that might help you to chase this dowm.

(same or similar with Mint and Arch)

You did not specify if Mint and Arch are on the same box, I assume they are. If they are, I'll assume they are loaded into different partitions (I don't think they'd work otherwise). So my next question would be, where is /home located? Do you share the same /home between both distros on the same box? If so, you may discover some nefarious programs somewhere in /home.

Edit: I blocked some with "hosts" and everything still works fine.

Again you didn't specify, so I'll assume you're referring to hosts.deny
I'm not entirely sure about this, but I think hosts.deny will only stop incoming traffic from those hosts, it will not stop any outgoing traffic from "your" host to another. You may not have stopped anything being sent outbound, only your ability to see what is coming back. I'd keep looking for a solution, if I were you.

and set up the firewall to block all incoming, allowing only 192.168.1.0/24/tcp. I think that will block anybody from the internet from connecting to my computer. Is this assumption correct?

You did not address any UDP connections, so you haven't blocked everything. Also, I think that once a connection is established outbound, by your box, it will maintain that connection, even though others have been blocked. So in otherwords, no your assumtion is not correct. If you had restricted everything to just "your" network, the 192.168.1.x, you would not have been able to make your second post for a follow up question.

If there is something in your box, establishing an outbound connection (virus, whatever), that connection should be maintained until your box no longer needs it. So, you really need to determine what is causing the connection to be established in the first place.