Re: [Dorset] Firewall question

Wed, 13 Dec 2023 09:02:58 -0800 


On 13/12/2023 12:26, Ralph Corderoy wrote:

Hi Tim,

   IP              hostname                                in            out    
      total       last seen

98.159.234.100  chrysippo.dreamsinheels.com    377,452,876  8,790,117,140  
9,167,570,016  2d 18h 38m 35s
98.159.234.101  reformidans.dreamsinheels.com  231,512,992  4,458,161,590  
4,689,674,582  3d 21h 18m  8s
98.159.234.54   posset.dreamsinheels.com       196,503,575  3,748,136,401  
3,944,639,976  2d  2h 41m 11s
98.159.234.72   pecunias.dreamsinheels.com     207,944,151  3,507,655,611  
3,715,599,762  2d  3h  6m 12s
98.159.234.157  aliquod.dreamsinheels.com      132,080,873  2,002,741,007  
2,134,821,880     11h 53m 38s
98.159.234.20   iustitiam.dreamsinheels.com     87,937,813  1,906,705,751  
1,994,643,564     21h 14m 53s

...

While I don't seem to have a list of live connections it is still making
connections, I checked and they are showing in Wireshark when I monitor
traffic

A TCP connection is being established after the full normal handshake?
As opposed to an incoming packet attempting to start a connection but
not progressing?  If so, a program must be actively listening on the
same TCP port to accept the connection.  What's the output of

     sudo -i ss -tlpe

sudo -i ss -tlpe
[sudo] password for mit:

State       Recv-Q       Send-Q             Local 
Address:Port               Peer Address:Port Process
LISTEN      0            50 127.0.0.1:35335                   0.0.0.0:* 
users:(("pia-daemon",pid=1044,fd=37)) ino:44489 sk:1 
cgroup:/system.slice/piavpn.service <->
LISTEN      0            100 127.0.0.1:25001                   0.0.0.0:* 
users:(("nxclient.bin",pid=5149,fd=6)) uid:1000 ino:40720 sk:2 
cgroup:/user.slice/user-1000.slice/session-c3.scope <->
LISTEN      0            4096 0.0.0.0:sunrpc                  0.0.0.0:* 
users:(("rpcbind",pid=771,fd=4),("systemd",pid=1,fd=35)) ino:17782 sk:3 
cgroup:/system.slice/rpcbind.socket <->
LISTEN      0            4096 127.0.0.53%lo:domain                  
0.0.0.0:* users:(("systemd-resolve",pid=772,fd=14)) uid:101 ino:21970 
sk:4 cgroup:/system.slice/systemd-resolved.service <->
LISTEN      0            128 127.0.0.1:ipp                     0.0.0.0:* 
users:(("cupsd",pid=1036,fd=8)) ino:22360 sk:5 
cgroup:/system.slice/cups.service <->
LISTEN      0            128 127.0.0.1:7001                    0.0.0.0:* 
users:(("nxnode.bin",pid=4738,fd=17)) uid:1000 ino:43357 sk:6 
cgroup:/user.slice/user-1000.slice/session-c3.scope <->
LISTEN      0            100 0.0.0.0:smtp                    0.0.0.0:* 
users:(("master",pid=3664,fd=13)) ino:39331 sk:7 
cgroup:/system.slice/system-postfix.slice/postfix@-.service <->
LISTEN      0            128 127.0.0.1:667                     0.0.0.0:* 
users:(("darkstat",pid=1124,fd=9)) ino:32379 sk:8 
cgroup:/system.slice/darkstat.service <->
LISTEN      0            100 0.0.0.0:4000                    0.0.0.0:* 
users:(("nxd",pid=3425,fd=3)) uid:130 ino:37538 sk:9 
cgroup:/system.slice/nxserver.service <->
LISTEN      0            100 127.0.0.1:12001                   0.0.0.0:* 
users:(("nxnode.bin",pid=4738,fd=14)) uid:1000 ino:34811 sk:a 
cgroup:/user.slice/user-1000.slice/session-c3.scope <->
LISTEN      0            100 127.0.0.1:23585                   0.0.0.0:* 
users:(("nxserver.bin",pid=1040,fd=20)) uid:130 ino:31733 sk:b 
cgroup:/system.slice/nxserver.service <->
LISTEN      0            4096 [::]:sunrpc                     [::]:* 
users:(("rpcbind",pid=771,fd=6),("systemd",pid=1,fd=37)) ino:23838 sk:c 
cgroup:/system.slice/rpcbind.socket v6only:1 <->
LISTEN      0            128 [::1]:ipp                        [::]:* 
users:(("cupsd",pid=1036,fd=7)) ino:22359 sk:d 
cgroup:/system.slice/cups.service v6only:1 <->
LISTEN      0            128 [::1]:7001                       [::]:* 
users:(("nxnode.bin",pid=4738,fd=16)) uid:1000 ino:43356 sk:e 
cgroup:/user.slice/user-1000.slice/session-c3.scope v6only:1 <->
LISTEN      0            100 [::]:smtp                       [::]:* 
users:(("master",pid=3664,fd=14)) ino:39332 sk:f 
cgroup:/system.slice/system-postfix.slice/postfix@-.service v6only:1 <->
LISTEN      0            100 [::]:4000                       [::]:* 
users:(("nxd",pid=3425,fd=4)) uid:130 ino:38572 sk:10 
cgroup:/system.slice/nxserver.service v6only:1 <->


PIA is a VPN service
NX is Nomachine




Here is a sample of one of the rules I have come up with:

     -A ufw-user-logging-output -p tcp
     -d 185.151.30.148 --dport 42474
     -s 185.151.30.148 --sport 42474
     -m limit --limit 3/min --limit-burst 10
     -j LOG --log-prefix "[UFW BLOCK] "

That looks like a rule to log something about the packet.  Have you enabled
logging?
https://wiki.archlinux.org/title/Uncomplicated_Firewall#Disable_UFW_logging
says how to disable it so I think you do the opposite.  That's what
https://wiki.ubuntu.com/UncomplicatedFirewall#Basic_Usage suggests.


I don't know how to chnage the single port to any port.

Why bother trying to match the port?  Just ban anything from IP addresses.
I think you just want to drop all packets from sources 98.159.234.0/24 and
185.151.130.148.  There are a couple of similar examples in
https://wiki.archlinux.org/title/Uncomplicated_Firewall#Black_listing_IP_addresses



I will check it out

Tim H

--
 Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00
 Check to whom you are replying
 Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
 New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk






















					Reply via email to