Strange internet connections on start-up

Questions about cabled networking
Forum rules
Before you post please read this

Strange internet connections on start-up

Postby Flemur on Wed Dec 12, 2012 3:41 pm

Howdy -

Running "etherape" after a clean boot, before running a browser or anything else, shows connections from my ISP to these IPs (same or similar with Mint and Arch):

- star-01-02-lga1.facebook.com
- 78-106-239-175.broadband.corbina.ru
- nk11p01st-courier084-bz.push.apple.com
- protected.ddos-blocker.net
- 2E6BCBAA.catv.pool.telekom.hu
- tor-exit.burratino.net
- some that only have IP numbers.

There's typically 300 or so bytes transmitted, often multiples of 62.

Any idea what they are? The best way to block them? I especially don't like the .hu and .ru ...

TIA!

Edit: I blocked some with "hosts" and everything still works fine.
Mint 17/Xfce/fluxbox & Mint 16/Xfce/fluxbox
User avatar
Flemur
Level 5
Level 5
 
Posts: 764
Joined: Mon Aug 20, 2012 9:41 pm

Linux Mint is funded by ads and donations.
 

Re: Strange internet connections on start-up

Postby igor83 on Wed Dec 12, 2012 11:07 pm

Flemur wrote:Howdy -

Running "etherape" after a clean boot, before running a browser or anything else, shows connections from my ISP to these IPs (same or similar with Mint and Arch):

- star-01-02-lga1.facebook.com
- 78-106-239-175.broadband.corbina.ru
- nk11p01st-courier084-bz.push.apple.com
- protected.ddos-blocker.net
- 2E6BCBAA.catv.pool.telekom.hu
- tor-exit.burratino.net
- some that only have IP numbers.

There's typically 300 or so bytes transmitted, often multiples of 62.

Any idea what they are? The best way to block them? I especially don't like the .hu and .ru ...

TIA!

Edit: I blocked some with "hosts" and everything still works fine.


Bad news on one of those IP's...

I ran gufw from a terminal and set up the firewall to block all incoming, allowing only 192.168.1.0/24/tcp. I think that will block anybody from the internet from connecting to my computer. Is this assumption correct?
I'm thinking that those connections you noticed were incoming due to your not having set up a firewall. If they were outgoing, then that would be a graver problem.
My desktop runs 64-bit Kubuntu 13.04, my htpc runs 64-bit Linux Mint Nadia Xfce, my answering machine runs 64-bit windows 7, and my laptop runs 64-bit Linux Mint Nadia KDE. Each seems suited to its purpose.
Image
User avatar
igor83
Level 4
Level 4
 
Posts: 317
Joined: Wed Aug 08, 2012 8:23 pm

Re: Strange internet connections on start-up

Postby igor83 on Sun Dec 16, 2012 11:24 pm

I remain curious about this topic, specifically whether it is enough to configure the firewall to accept only 192.168.1.1/24/tcp as incoming. Is that good enough for a basic firewall defense, or is there something else that needs to be there?
My desktop runs 64-bit Kubuntu 13.04, my htpc runs 64-bit Linux Mint Nadia Xfce, my answering machine runs 64-bit windows 7, and my laptop runs 64-bit Linux Mint Nadia KDE. Each seems suited to its purpose.
Image
User avatar
igor83
Level 4
Level 4
 
Posts: 317
Joined: Wed Aug 08, 2012 8:23 pm

Re: Strange internet connections on start-up

Postby billmc on Sun Dec 30, 2012 5:36 pm

Unfortunately, I'm not a security expert, so I really can't tell you how to correct this. About all I can do, is offer a few more questions, that might help you to chase this dowm.

(same or similar with Mint and Arch)


You did not specify if Mint and Arch are on the same box, I assume they are. If they are, I'll assume they are loaded into different partitions (I don't think they'd work otherwise). So my next question would be, where is /home located? Do you share the same /home between both distros on the same box? If so, you may discover some nefarious programs somewhere in /home.

Edit: I blocked some with "hosts" and everything still works fine.


Again you didn't specify, so I'll assume you're referring to hosts.deny
I'm not entirely sure about this, but I think hosts.deny will only stop incoming traffic from those hosts, it will not stop any outgoing traffic from "your" host to another. You may not have stopped anything being sent outbound, only your ability to see what is coming back. I'd keep looking for a solution, if I were you.

and set up the firewall to block all incoming, allowing only 192.168.1.0/24/tcp. I think that will block anybody from the internet from connecting to my computer. Is this assumption correct?


You did not address any UDP connections, so you haven't blocked everything. Also, I think that once a connection is established outbound, by your box, it will maintain that connection, even though others have been blocked. So in otherwords, no your assumtion is not correct. If you had restricted everything to just "your" network, the 192.168.1.x, you would not have been able to make your second post for a follow up question.

If there is something in your box, establishing an outbound connection (virus, whatever), that connection should be maintained until your box no longer needs it. So, you really need to determine what is causing the connection to be established in the first place.
billmc
Level 1
Level 1
 
Posts: 40
Joined: Sat Dec 29, 2012 7:22 pm


Return to Ethernet

Who is online

Users browsing this forum: No registered users and 3 guests