You are not logged in.
- Topics: Active | Unanswered
#1 2017-02-18 02:39:54
- mallocman
- Member
- Registered: 2012-08-16
- Posts: 24
Monitoring outgoing connections
Hello everyone,
It seems strange to me that there is no Linux tool for logging outgoing requests together with PIDs.
I know about netstat, lsof, tcpdump and other tools, but using those it is nearly impossible to detect processes making short-lived malicious connections.
Other tools require custom kernels...
Nevertheless I have just found out that my NetworkManager service is constantly (every few minutes) making request to "http://soyuz.archlinux.org".
Can anyone please explain that behavior or why is that needed?
Thank you.
Offline
#2 2017-02-18 11:45:28
- legerfrad
- Member
- Registered: 2017-02-17
- Posts: 2
Re: Monitoring outgoing connections
To monitor connections, the tools you listed above can be used to log and parse connections. Any short-lived connection will be logged. You can also use ss -tp to monitor them.
If you're concerned by malicious connections, you might want to use iptables and their logs. If you don't like tweaking it manually maybe check UFW (uncomplicated firewall) :
https://wiki.archlinux.org/index.php/Un … d_Firewall
You'll just have to blacklist everything, allow only connections you enjoy, and monitor the logs from time to time.
"http://soyuz.archlinux.org" seems to be a pkgbuild.com server, see : https://wiki.archlinux.org/index.php/De … .5B2.5D.29
Offline
#3 2017-02-19 00:29:24
- mallocman
- Member
- Registered: 2012-08-16
- Posts: 24
Re: Monitoring outgoing connections
To monitor connections, the tools you listed above can be used to log and parse connections. Any short-lived connection will be logged. You can also use ss -tp to monitor them.
If you're concerned by malicious connections, you might want to use iptables and their logs.
Can you please tell me how can I log connections with those tools?
As far as I know 'tcpdump' is the only one which monitors traffic and it does not show process PID or any other data that could be used to link package to an application/service.
Executing 'ss -tp' only displays connections present a that particular moment. After that the command exits.
"http://soyuz.archlinux.org" seems to be a pkgbuild.com server, see : https://wiki.archlinux.org/index.php/De … .5B2.5D.29
I am still curious why NetworkManager daemon needs to communicate with pkgbuild server.
I do not see any connection between a general Linux network configuration service and the Arch build servers...
I see these requests even when PC is idling and all applications are closed.
Thank you.
Offline
#4 2017-02-19 08:51:32
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Monitoring outgoing connections
Nevertheless I have just found out that my NetworkManager service is...
The likes of tcpdump (and iptables logging) will give you much more info, e.g. the local and destination ports, and the protocol.
Could try debugging.
Offline
#5 2017-02-22 20:23:53
- vome
- Member
- Registered: 2017-02-22
- Posts: 1
Re: Monitoring outgoing connections
I also seen the same connect to http://soyuz.archlinux.org today on my pc randomly.
Networkmanager 1.6.0-4 contains the following file on your system:
/usr/lib/NetworkManager/conf.d/20-connectivity.conf
This file contains:
[connectivity]
uri=http://pkgbuild.com/check_network_status.txtwhich does an online check. An alternative name of pkgbuild.com is soyuz.archlinux.org.
The Networkmanager-Package is updated to a new url soon. For your reference, see the log of the package:
https://git.archlinux.org/svntogit/pack … orkmanager
If you don't want this connection, I recommend overriding the uri with one from your local net and/or make the interval higher.
/etc/NetworkManager/NetworkManager.conf:
[connectivity]
uri=http://your-local-url
interval=999999Offline