Questions on network weaknesses

nam1962 · 22 December 2020 19:22

A chat on the usefulness of Firewall on private desktop PC led me to check my root connections.
I use UFW with default settings.

The check puzzles me : numerous “attempts” (?) from West Africa Benin (156.0.xx.xx Ip), and established connection.

~]$ sudo netstat -apet | grep root
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN      root       24606      717/nextdns         
tcp        0      0 localhost:ipps          0.0.0.0:*               LISTEN      root       23082      715/cupsd           
tcp        0    334 ordi1.local:57407       156.0.214.34:25842      FIN_WAIT1   root       0          -                   
tcp        0      0 ordi1.local:52232       46.235.231.150:https    TIME_WAIT   root       0          -                   
tcp        0      0 ordi1.local:39572       fra16s14-in-f14.1:https TIME_WAIT   root       0          -                   
tcp        0    160 ordi1.local:57517       156.0.212.20:27672      FIN_WAIT1   root       0          -                   
tcp        0      0 ordi1.local:52334       46.235.231.150:https    TIME_WAIT   root       0          -                   
tcp        0      0 ordi1.local:48928       fra15s17-in-f13.1:https TIME_WAIT   root       0          -                   
tcp        0      0 ordi1.local:51378       aur.archlinux.org:https TIME_WAIT   root       0          -                   
tcp        0     69 ordi1.local:53769       ptr-178-50-168-17:53730 FIN_WAIT1   root       0          -                   
tcp        0     69 ordi1.local:54341       156.0.213.2:52873       FIN_WAIT1   root       0          -                   
tcp        0    255 ordi1.local:43565       156.0.212.28:14972      FIN_WAIT1   root       0          -                   
tcp        0      0 ordi1.local:40886       vmi443919.contabo:https TIME_WAIT   root       0          -                   
tcp        0      0 ordi1.local:40818       vmi443919.contabo:https TIME_WAIT   root       0          -                   
tcp        0     69 ordi1.local:58953       156.0.212.28:14972      FIN_WAIT1   root       0          -                   
tcp        0    606 ordi1.local:43123       m213-101-14-165.cu:5524 FIN_WAIT1   root       0          -                   
tcp        0      0 ordi1.local:56616       178.255.153.47:https    ESTABLISHED root       3944351    -                   
tcp        0     69 ordi1.local:59151       156.0.212.20:27672      FIN_WAIT1   root       0          -                   
tcp        0    471 ordi1.local:49795       ptr-178-50-235-99:53722 FIN_WAIT1   root       0          -                   
tcp        0     69 ordi1.local:41469       156.0.212.28:14972      FIN_WAIT1   root       0          -                   
tcp        0     69 ordi1.local:46181       156.0.213.2:52873       FIN_WAIT1   root       0          -                   
tcp        0     69 ordi1.local:55945       223.27.246.180:24981    FIN_WAIT1   root       0          -                   
tcp        0      0 ordi1.local:59572       web.npulse.net:https    TIME_WAIT   root       0          -                   
tcp        0    119 ordi1.local:33759       223.27.246.180:24981    FIN_WAIT1   root       0          -                   
tcp        0     69 ordi1.local:37665       156.0.214.34:25842      FIN_WAIT1   root       0          -                   
tcp        0      0 ordi1.local:52402       46.235.231.150:https    TIME_WAIT   root       0          -                   
tcp        0    457 ordi1.local:41577       ptr-178-50-168-17:53730 FIN_WAIT1   root       0          -                   
tcp        0     69 ordi1.local:56173       156.0.214.34:25842      FIN_WAIT1   root       0          -                   
tcp        0     69 ordi1.local:36925       223.27.246.180:24981    FIN_WAIT1   root       0          -                   
tcp        0    536 ordi1.local:44509       156.0.213.2:52873       FIN_WAIT1   root       0          -

Am I at risk ?

cscs · 22 December 2020 19:46

First off … as it says in the netstat man page…

NOTES
       This program is mostly obsolete.  Replacement for netstat is ss.  Replacement for netstat -r is ip route.  Replacement for netstat -i is ip -s link.  Replacement for netstat  -g
       is ip maddr.

So repeat again using ss
(really you can use the same - ss -apet or maybe ss -atulpn)

nam1962 · 23 December 2020 07:03

Hi !
Thank you for that. It’s even quite interesting to check:

sudo ss -r | grep -v '*'

&

sudo lsof -u root | grep -i listen

But I don’t see root user’s http connections, do I ?

linux-aarhus · 23 December 2020 16:12

Depending on what you are doing - open applications - services etc. - I would be slightly curious - and investigate - and your topic peeked mine

The first option that comes to mind is to close all browsers and mail apps - then recheck.

Some connections are obvious - other not so much.

I am using no firewall on my internal systems - I use an USG as router and firewall - a raspberry pi running isc bind and dhcp - and running a special bind zone to block ads (GitHub - Trellmor/bind-adblock: Use the BIND DNS server to block ads)

Even with several tabs open in firefox and several virtual machines running windows - and using the above mentioned commands - my connections is a quick glance - with nothing to worry about.

Details

➜  ~ su -l root                 
Password: 
[ts ~]# ss -apet
State      Recv-Q   Send-Q     Local Address:Port           Peer Address:Port   Process                                                                         
LISTEN     0        10               0.0.0.0:rfb                 0.0.0.0:*       users:(("lightdm",pid=2016,fd=11)) ino:23078 sk:1 cgroup:/system.slice/lightdm.service <->
LISTEN     0        128              0.0.0.0:45622               0.0.0.0:*       users:(("sshd",pid=2010,fd=3)) ino:21749 sk:2 cgroup:/system.slice/sshd.service <->
LISTEN     0        128            127.0.0.1:rgtp                0.0.0.0:*       users:(("sqlservr",pid=2335,fd=116)) uid:964 ino:703 sk:3 cgroup:/system.slice/mssql-server.service <->
LISTEN     0        128            127.0.0.1:ipp                 0.0.0.0:*       users:(("cupsd",pid=2001,fd=8)) ino:16102 sk:4 cgroup:/system.slice/cups.service <->
LISTEN     0        128              0.0.0.0:ms-sql-s            0.0.0.0:*       users:(("sqlservr",pid=2335,fd=106)) uid:964 ino:699 sk:5 cgroup:/system.slice/mssql-server.service <->
LISTEN     0        128            127.0.0.1:ms-sql-m            0.0.0.0:*       users:(("sqlservr",pid=2335,fd=115)) uid:964 ino:28710 sk:6 cgroup:/system.slice/mssql-server.service <->
ESTAB      0        0           172.30.30.20:46994        135.181.38.249:https   users:(("firefox",pid=11407,fd=78)) uid:1000 ino:78920 sk:7 cgroup:/user.slice/user-1000.slice/session-2.scope <->
TIME-WAIT  0        0           172.30.30.20:45332        52.142.125.222:https   timer:(timewait,11sec,0) ino:0 sk:8                                            
ESTAB      0        0           172.30.30.20:49624          5.103.137.72:imaps   users:(("thunderbird",pid=14786,fd=87)) timer:(keepalive,17sec,0) uid:1000 ino:57186 sk:9 cgroup:/user.slice/user-1000.slice/session-2.scope <->
TIME-WAIT  0        0           172.30.30.20:34220        52.142.124.215:https   timer:(timewait,11sec,0) ino:0 sk:a                                            
ESTAB      0        0           172.30.30.20:42090         81.19.232.122:imaps   users:(("thunderbird",pid=14786,fd=83)) timer:(keepalive,11sec,0) uid:1000 ino:65548 sk:b cgroup:/user.slice/user-1000.slice/session-2.scope <->
ESTAB      0        0           172.30.30.20:43134          176.9.38.148:imaps   users:(("thunderbird",pid=14786,fd=40)) timer:(keepalive,8.334ms,0) uid:1000 ino:74487 sk:c cgroup:/user.slice/user-1000.slice/session-2.scope <->
ESTAB      0        0           172.30.30.20:49602          5.103.137.72:imaps   users:(("thunderbird",pid=14786,fd=30)) timer:(keepalive,51sec,0) uid:1000 ino:65550 sk:d cgroup:/user.slice/user-1000.slice/session-2.scope <->
ESTAB      0        0           172.30.30.20:42106         81.19.232.122:imaps   users:(("thunderbird",pid=14786,fd=104)) timer:(keepalive,11sec,0) uid:1000 ino:57912 sk:e cgroup:/user.slice/user-1000.slice/session-2.scope <->
ESTAB      0        0           172.30.30.20:42158         81.19.232.122:imaps   users:(("thunderbird",pid=14786,fd=109)) timer:(keepalive,11sec,0) uid:1000 ino:60980 sk:f cgroup:/user.slice/user-1000.slice/session-2.scope <->
ESTAB      0        0           172.30.30.20:42102         81.19.232.122:imaps   users:(("thunderbird",pid=14786,fd=90)) timer:(keepalive,11sec,0) uid:1000 ino:53944 sk:10 cgroup:/user.slice/user-1000.slice/session-2.scope <->
ESTAB      0        0           172.30.30.20:33642        44.240.126.239:https   users:(("firefox",pid=11407,fd=166)) timer:(keepalive,6min39sec,0) uid:1000 ino:48987 sk:11 cgroup:/user.slice/user-1000.slice/session-2.scope <->
ESTAB      0        0           172.30.30.20:52046         81.19.232.124:imaps   users:(("thunderbird",pid=14786,fd=84)) timer:(keepalive,3.187ms,0) uid:1000 ino:65549 sk:12 cgroup:/user.slice/user-1000.slice/session-2.scope <->
LISTEN     0        128                [::1]:rgtp                   [::]:*       users:(("sqlservr",pid=2335,fd=113)) uid:964 ino:702 sk:13 cgroup:/system.slice/mssql-server.service v6only:1 <->
LISTEN     0        128                [::1]:ipp                    [::]:*       users:(("cupsd",pid=2001,fd=7)) ino:16101 sk:14 cgroup:/system.slice/cups.service v6only:1 <->
LISTEN     0        128                    *:ms-sql-s                  *:*       users:(("sqlservr",pid=2335,fd=105)) uid:964 ino:697 sk:15 cgroup:/system.slice/mssql-server.service v6only:0 <->
LISTEN     0        128                [::1]:ms-sql-m               [::]:*       users:(("sqlservr",pid=2335,fd=109)) uid:964 ino:28709 sk:16 cgroup:/system.slice/mssql-server.service v6only:1 <->
[ts ~]# ss -atulpn
Netid               State                Recv-Q               Send-Q                             Local Address:Port                              Peer Address:Port              Process                                             
tcp                 LISTEN               0                    10                                       0.0.0.0:5900                                   0.0.0.0:*                  users:(("lightdm",pid=2016,fd=11))                 
tcp                 LISTEN               0                    128                                      0.0.0.0:45622                                  0.0.0.0:*                  users:(("sshd",pid=2010,fd=3))                     
tcp                 LISTEN               0                    128                                    127.0.0.1:1431                                   0.0.0.0:*                  users:(("sqlservr",pid=2335,fd=116))               
tcp                 LISTEN               0                    128                                    127.0.0.1:631                                    0.0.0.0:*                  users:(("cupsd",pid=2001,fd=8))                    
tcp                 LISTEN               0                    128                                      0.0.0.0:1433                                   0.0.0.0:*                  users:(("sqlservr",pid=2335,fd=106))               
tcp                 LISTEN               0                    128                                    127.0.0.1:1434                                   0.0.0.0:*                  users:(("sqlservr",pid=2335,fd=115))               
tcp                 LISTEN               0                    128                                        [::1]:1431                                      [::]:*                  users:(("sqlservr",pid=2335,fd=113))               
tcp                 LISTEN               0                    128                                        [::1]:631                                       [::]:*                  users:(("cupsd",pid=2001,fd=7))                    
tcp                 LISTEN               0                    128                                            *:1433                                         *:*                  users:(("sqlservr",pid=2335,fd=105))               
tcp                 LISTEN               0                    128                                        [::1]:1434                                      [::]:*                  users:(("sqlservr",pid=2335,fd=109))               
[ts ~]# ss -r | grep -v '*'
Netid State  Recv-Q Send-Q                     Local Address:Port                                            Peer Address:Port  Process
udp   ESTAB  0      0                     ts.net.nix.dk%eno1:bootpc                                         ns.net.nix.dk:bootps       
tcp   ESTAB  0      0                          ts.net.nix.dk:46994           static.249.38.181.135.clients.your-server.de:https        
tcp   ESTAB  0      0                          ts.net.nix.dk:49624                        5.103.137.72.static.fibianet.dk:imaps        
tcp   ESTAB  0      0                          ts.net.nix.dk:42090                               webhotel22.webhosting.dk:imaps        
tcp   ESTAB  0      0                          ts.net.nix.dk:43134                                       mail.manjaro.org:imaps        
tcp   ESTAB  0      0                          ts.net.nix.dk:49602                        5.103.137.72.static.fibianet.dk:imaps        
tcp   ESTAB  0      0                          ts.net.nix.dk:42106                               webhotel22.webhosting.dk:imaps        
tcp   ESTAB  0      0                          ts.net.nix.dk:42158                               webhotel22.webhosting.dk:imaps        
tcp   ESTAB  0      0                          ts.net.nix.dk:42102                               webhotel22.webhosting.dk:imaps        
tcp   ESTAB  0      0                          ts.net.nix.dk:33642     ec2-44-240-126-239.us-west-2.compute.amazonaws.com:https        
tcp   ESTAB  0      0                          ts.net.nix.dk:52046                               webhotel24.webhosting.dk:imaps        
[ts ~]# lsof -u root | grep -i listen
lsof: WARNING: can't stat() fuse.jetbrains-toolbox file system /tmp/.mount_jetbraeabpJz
      Output information may be incomplete.
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
systemd       1 root   19u     unix 0x00000000b7f26bb8      0t0      27797 /run/systemd/private type=STREAM (LISTEN)
systemd       1 root   20u     unix 0x000000006c623057      0t0      27799 /run/systemd/userdb/io.systemd.DynamicUser type=STREAM (LISTEN)
systemd       1 root   21u     unix 0x000000004cdb08ea      0t0      27800 /run/systemd/io.system.ManagedOOM type=STREAM (LISTEN)
systemd       1 root   33u     unix 0x00000000894a4627      0t0      27813 /run/lvm/lvmetad.socket type=STREAM (LISTEN)
systemd       1 root   34u     unix 0x00000000bff3f983      0t0      27815 /run/lvm/lvmpolld.socket type=STREAM (LISTEN)
systemd       1 root   35u     unix 0x00000000efafc7e6      0t0      27817 /run/systemd/coredump type=SEQPACKET (LISTEN)
systemd       1 root   39u     unix 0x0000000031f3ea4f      0t0      27825 /run/systemd/journal/stdout type=STREAM (LISTEN)
systemd       1 root   40u     unix 0x00000000cb43dd08      0t0      27827 /run/udev/control type=SEQPACKET (LISTEN)
systemd       1 root   51u     unix 0x0000000014cfcdbb      0t0      21590 /run/cups/cups.sock type=STREAM (LISTEN)
systemd       1 root   52u     unix 0x0000000046d35f6d      0t0      21592 /run/dbus/system_bus_socket type=STREAM (LISTEN)
systemd       1 root   54u     unix 0x0000000003be4fbc      0t0      21594 /run/libvirt/libvirt-sock type=STREAM (LISTEN)
systemd       1 root   55u     unix 0x00000000f2256011      0t0      21596 /run/libvirt/libvirt-admin-sock type=STREAM (LISTEN)
systemd       1 root   56u     unix 0x0000000053a9a307      0t0      21598 /run/libvirt/libvirt-sock-ro type=STREAM (LISTEN)
systemd       1 root   57u     unix 0x00000000ae992235      0t0      21600 /run/libvirt/virtlockd-sock type=STREAM (LISTEN)
systemd       1 root   58u     unix 0x00000000c698bd91      0t0      21602 /run/libvirt/virtlogd-sock type=STREAM (LISTEN)
systemd-j   309 root    6u     unix 0x0000000031f3ea4f      0t0      27825 /run/systemd/journal/stdout type=STREAM (LISTEN)
systemd-j   309 root    9u     unix 0x0000000077e78dcd      0t0        210 /run/systemd/journal/io.systemd.journal type=STREAM (LISTEN)
systemd-u   327 root    4u     unix 0x00000000cb43dd08      0t0      27827 /run/udev/control type=SEQPACKET (LISTEN)
lvmetad     332 root    3u     unix 0x00000000894a4627      0t0      27813 /run/lvm/lvmetad.socket type=STREAM (LISTEN)
systemd-m   554 root    9u     unix 0x00000000b04d5106      0t0      21637 /run/systemd/userdb/io.systemd.Machine type=STREAM (LISTEN)
cupsd      2001 root    3u     unix 0x0000000014cfcdbb      0t0      21590 /run/cups/cups.sock type=STREAM (LISTEN)
cupsd      2001 root    7u     IPv6              16101      0t0        TCP localhost:ipp (LISTEN)
cupsd      2001 root    8u     IPv4              16102      0t0        TCP localhost:ipp (LISTEN)
sshd       2010 root    3u     IPv4              21749      0t0        TCP *:45622 (LISTEN)
lightdm    2016 root   11u     IPv4              23078      0t0        TCP *:rfb (LISTEN)
Xorg       2046 root    5u     unix 0x000000007cb62f9c      0t0      14902 @/tmp/.X11-unix/X0 type=STREAM (LISTEN)
Xorg       2046 root    6u     unix 0x000000007312f07b      0t0      14903 /tmp/.X11-unix/X0 type=STREAM (LISTEN)

nam1962 · 23 December 2020 16:47

Well, looking at your outcome, mine doesn’t seem abnormal

I’m now puzzled by another issue: I also use NextDNS to do something like your bind zone + avoid my ISP’s lying DNS.

…and there is an issue (I opened a ticket on Flathub’s forum for this).
Capture d’écran_2020-12-23_10-53-55

Alfy · 23 December 2020 19:06

i added a delay for any incorrect password to deter any brute-force attempts
https://wiki.archlinux.org/index.php/Security#Enforce_a_delay_after_a_failed_login_attempt

not sure if that helps.