You are not logged in.

#1 2017-02-18 02:39:54

mallocman
Member
Registered: 2012-08-16
Posts: 24

Monitoring outgoing connections

Hello everyone,

It seems strange to me that there is no Linux tool for logging outgoing requests together with PIDs.
I know about netstat, lsof, tcpdump and other tools, but using those it is nearly impossible to detect processes making short-lived malicious connections.
Other tools require custom kernels...

Nevertheless I have just found out that my NetworkManager service is constantly (every few minutes) making request to "http://soyuz.archlinux.org".
Can anyone please explain that behavior or why is that needed?

Thank you.

Offline

#2 2017-02-18 11:45:28

legerfrad
Member
Registered: 2017-02-17
Posts: 2

Re: Monitoring outgoing connections

To monitor connections, the tools you listed above can be used to log and parse connections. Any short-lived connection will be logged. You can also use ss -tp to monitor them.
If you're concerned by malicious connections, you might want to use iptables and their logs. If you don't like tweaking it manually maybe check UFW (uncomplicated firewall) :

https://wiki.archlinux.org/index.php/Un … d_Firewall
You'll just have to blacklist everything, allow only connections you enjoy, and monitor the logs from time to time.

"http://soyuz.archlinux.org" seems to be a pkgbuild.com server, see : https://wiki.archlinux.org/index.php/De … .5B2.5D.29

Offline

#3 2017-02-19 00:29:24

mallocman
Member
Registered: 2012-08-16
Posts: 24

Re: Monitoring outgoing connections

legerfrad wrote:

To monitor connections, the tools you listed above can be used to log and parse connections. Any short-lived connection will be logged. You can also use ss -tp to monitor them.
If you're concerned by malicious connections, you might want to use iptables and their logs.

Can you please tell me how can I log connections with those tools?
As far as I know 'tcpdump' is the only one which monitors traffic and it does not show process PID or any other data that could be used to link package to an application/service.
Executing 'ss -tp' only displays connections present a that particular moment. After that the command exits.

legerfrad wrote:

I am still curious why NetworkManager daemon needs to communicate with pkgbuild server.
I do not see any connection between a general Linux network configuration service and the Arch build servers...
I see these requests even when PC is idling and all applications are closed.

Thank you.

Offline

#4 2017-02-19 08:51:32

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Monitoring outgoing connections

mallocman wrote:

Nevertheless I have just found out that my NetworkManager service is...

The likes of tcpdump (and iptables logging) will give you much more info, e.g. the local and destination ports, and the protocol.

Could try debugging.

Offline

#5 2017-02-22 20:23:53

vome
Member
Registered: 2017-02-22
Posts: 1

Re: Monitoring outgoing connections

I also seen the same connect to http://soyuz.archlinux.org today on my pc randomly.

Networkmanager 1.6.0-4 contains the following file on your system:

/usr/lib/NetworkManager/conf.d/20-connectivity.conf

This file contains:

[connectivity]
uri=http://pkgbuild.com/check_network_status.txt

which does an online check. An alternative name of pkgbuild.com is soyuz.archlinux.org.

The Networkmanager-Package is updated to a new url soon. For your reference, see the log of the package:

https://git.archlinux.org/svntogit/pack … orkmanager


If you don't want this connection, I recommend overriding the uri with one from your local net and/or make the interval higher.

/etc/NetworkManager/NetworkManager.conf:

[connectivity]
uri=http://your-local-url
interval=999999

Offline

Board footer

Powered by FluxBB