How to identify apps that access the network?

[bgoodwin91006]

Back in my MS Windows days, I used a program called Zone Alarm. It was not only a firewall in the common sense but it controlled access to the network on a per-application basis. The first time any app tried to access the net it would pop up a requester to verify if that app had permission to use the net. Options were; yes, no, or just-this-once. Once approved, you could always access the list of approved apps. I would like something similar for my Mint 20.1 if available.

I have looked into wireshark, and etherape, both of which are impressive in their own way but they don't identify which apps are sending/receiving all that network traffic. If they do, I'm not network savvy enough to know how to extract that from them. I just want to know, and better yet, control which apps are allowed onto the network.

Thanks for any enlightenment you can provide.
Best regards,
Bob G.

[all41]

Would it not be better to block all outgoing initially and allow only certain apps?
normally

Code: Select all

sudo ufw enable

will accomplish this
Are you using ufw?

Code: Select all

sudo ufw status

[bgoodwin91006]

Thank you for your response.

Nothing changes when I set the ufw outgoing to deny. I made sure the change was current by rebooting and then checking it. there are three profiles that ufw can refer to. I made sure all three were set to outgoing-denied. My vpn still connects, firefox still accesses the internet and I updated an app with the update manager. I'd be willing to bet the panel plugins are still getting weather and time connections. So much for outgoing denied.

When I run '/lib/ufw/ufw-init status' , as root, it returns Firewall is running. When run as a user it return Firewall is not running. Not sure what that means.

What I want is to start with everything denied and then designate any apps that I want to allow internet access. I can see that there is provisions in /etc/ufw for configuring allowed apps but I would first need to have a general denial in place for that to be of much use.

If anyone has accomplished this successfully I'd appreciate learning how it is done

Best regards,
Bob G.

[t42]

Linux has a different from Windows network environment and application level firewall has no practical sense. By default UFW is set up to allow outgoing connections initiated by user. Firewall blocks incoming connections to all local network ports except for ports which are running system services. Ports not in use do not need to be blocked because there isn't anything there waiting for a network connection. If there isn't any service waiting for incoming connections then there isn't anything to hack.

[senjoz]

Try OpenSnitch application fiewall, https://github.com/evilsocket/opensnitch.

Regards, Jože

[donalduck]

I miss kerio personal firewall on windows

besides that there is a lot of handy programs to check network activity on linux:

netstat, to see ongoing connections:

Code: Select all

sudo /bin/netstat -antpe

lsof, general purpose file inspection (everything is a file!):

Code: Select all

sudo lsof -i

for more in-depth inspection, tcpdump coud be usefull too, it is simpler than wireshark:

Code: Select all

sudo tcpdump -i enp5s1 -v -w

where "enp5s1" is the name of your network interface, (see ip a or ifconfig)

[bgoodwin91006]

I miss kerio personal firewall on windows

besides that there is a lot of handy programs to check network activity on linux:

netstat, to see ongoing connections:

Code: Select all

sudo /bin/netstat -antpe

lsof, general purpose file inspection (everything is a file!):

Code: Select all

sudo lsof -i

for more in-depth inspection, tcpdump coud be usefull too, it is simpler than wireshark:

Code: Select all

sudo tcpdump -i enp5s1 -v -w

where "enp5s1" is the name of your network interface, (see ip a or ifconfig)

I've seen all these network tools but they just don't answer the basic question; "which apps are using the network?"

Linux has a different from Windows network environment and application level firewall has no practical sense. By default UFW is set up to allow outgoing connections initiated by user. Firewall blocks incoming connections to all local network ports except for ports which are running system services. Ports not in use do not need to be blocked because there isn't anything there waiting for a network connection. If there isn't any service waiting for incoming connections then there isn't anything to hack.

I Couldn't disagree more. According to 'aptitude', there are 3,055 packages installed on my system.These are just the packages installed under apt. While an outside connection can't get through a port that isn't listening, there seems to be nothing stopping an installed package from connecting to the internet just the way firefox or the weather plugin does. The fact that I didn't specifically tell it to do that not withstanding. I'm not saying this is happening but I am saying I'd like to know that it is not happening. Better yet, I'd like to have positive control over which apps gets to use the internet and which don't.

What is the point of a ufw option to set 'outgoing' to 'deny everything' if it doesn't deny anything?

LATE EDIT: I am looking into opensnitch. At first glance it looks like an answer to my request. I just don't understand why anyone would use terms like 'snitch' to describe a legitimate program. It's apparently hosted by someone using the pseudonym evilsocket.

[Hoser Rob]

Many people new to Linux don't realize that, unlike in Windows, Linux does not keep unused network ports open. This is a big often unheralded security advantage of Linux. I think it;s also why you can just use the default ufw/gufw rules, at least for desktop (non server) use.

[t42]

According to 'aptitude', there are 3,055 packages installed on my system.These are just the packages installed under apt. While an outside connection can't get through a port that isn't listening, there seems to be nothing stopping an installed package from connecting to the internet just the way firefox or the weather plugin does. The fact that I didn't specifically tell it to do that not withstanding. I'm not saying this is happening but I am saying I'd like to know that it is not happening. Better yet, I'd like to have positive control over which apps gets to use the internet and which don't.

Such approach is quite understandable while using Windows. It can be accepted in some extent in Linux if you are working in a hostile environment, if you're concerned that someone who has access to your computer might set up unknown to you network service. But more often a mistrust of your own operating system is akin to Windows habits. Can you explain how some random package from 3270 installed on my Linux system may be executed [maliciously or not] if not intended. Hundreds of them will never be executed after installation. Weather plugin is not relevant example because it is integrated in DE and could be set up by user to initiate connection in order to fetch data. You cannot initiate connection to it from the WAN because inbound connections are blocked. On my Windows PC I collected dozens of viruses collected in folder D:\virus_collection. Should I afraid miraculous spontaneous self-execution of files stored there for years? As any random installed Linux application has no chance to be executed ever if not initiated by the user.

[bgoodwin91006]

First, another ah-ha moment. I discovered that the ufw output-deny works just fine as long as the vpn is not running. My commercial PIA vpn alters the iptables dramatically. I'm not sure at this moment that I am comfortable with that.

I don't mean to be paranoid but there are proprietary drivers such as the Nvidia drivers which are an unknown quantity. I don't want to give up their superior rendering for an open source driver. I just don't want it phoning home with a view of my desktop. Not saying it does but saying I don't know. There are a few others I'm suspicious of but it would be a moot point if I could simply name the apps allowed to access the internet.

It looks like opensnitch is what I'm looking for. I just hope it can still function in the presence of the vpn. At a glance, it appears to us eBPF to hook into the kernel syscall for the network bypassing the iptables or preceding them; not sure which. I haven't dug that deep yet. I will be downloading the source.

Thanks to everyone who has responded. You have all given me food for thought. I guess we can call this question closed but if there's anyone who wants to add a comment or additional insight please do so.
Best regards,
Bob G.

[Menard]

Very interesting because I was on windows too and I used unbound as a DNS local server but here on Linux Mint since v20 I get no evidence that it is doing the job ... because by default on Mint the commands nslookup and dig return a 127.0.0.53:53 for the DNS server used, as on windows with Comodo firewall (an old version before the NSA compromised) I had the list of the DNS requests to authoritative name servers that unbound was doing, but here, I got nothing similar, or it proves that unbound doesn't work as expected

[donalduck]

they just don't answer the basic question; "which apps are using the network?"

actually they do, that's the point of the column COMMAND of lsof result:

COMMAND contains the first nine characters of the name of the UNIX command associated with the process.

and that's the point of option p in the netstat command above

Show the PID and name of the program to which each socket belongs.

note that without admin privileges (i.e sudo) process/program name won't show up...

but I understand this is not what your are looking for at first, as your main concern is to set up a white list of programs that could access internet even before they run (as in zonealarm). Just usefull tools to double-check net activity.

[bgoodwin91006]

I have now installed the opensnitch binary. My attempt to compile the source has failed so far due to relocated directories from other compiles but I'm sure I will get it sorted out.

'opensnitch' is everything I wanted. It has a very 'Zone Alarm' look and feel. Most important for me is the new comfort level seeing which apps are asking to use the network. The actual number is surprisingly few (7) since starting it yesterday.

This may be too early for an outright endorsement of opensnitch but I have to say "So far I'm loving it."

[donten]

I, too, am pleased with OpenSnitch. Definitely read the wiki: lots of good pointers, ie, how to deal with vpns among them. I jumped in with both feet, but am now doing what the main author suggests: let it run for a few days, a week, or longer, to see how your system works. And, to see how OpenSnitch works. You'll be able to get it to "fit" better for your uses.