View previous topic :: View next topic |
Author |
Message |
Btoo n00b
Joined: 24 Sep 2008 Posts: 42 Location: An isolated island
|
Posted: Mon Jul 04, 2022 6:21 pm Post subject: Unwanted connection to Tor exit node from lan |
|
|
My Gentoo box tries to connect to a tor exit node.
Does someone have a strategy to figure out where, or what program is trying to do this?
I suppose I could use ntop and look for the IP.
An application firewall would be great and I have looked at trying to get Opensnitch installed but there is no ebuild for it. There is also Netcap, also no ebuild though.
Any ideas would be helpful!
Thanks |
|
Back to top |
|
|
Leonardo.b Apprentice
Joined: 10 Oct 2020 Posts: 294
|
Posted: Mon Jul 04, 2022 7:28 pm Post subject: Re: Unwanted connection to Tor exit node from lan |
|
|
Btoo wrote: | My Gentoo box tries to connect to a tor exit node. |
Why do you think this?
Assuming your box is not compromised, netstat can display active connections on the system. |
|
Back to top |
|
|
Btoo n00b
Joined: 24 Sep 2008 Posts: 42 Location: An isolated island
|
Posted: Mon Jul 04, 2022 9:36 pm Post subject: |
|
|
I think this because my PfSense firewall catches and rejects the outbound connection.
Netstat is okay, I will have to look into the man page to make it more useful.
Thanks |
|
Back to top |
|
|
Leonardo.b Apprentice
Joined: 10 Oct 2020 Posts: 294
|
Posted: Mon Jul 04, 2022 10:11 pm Post subject: |
|
|
Maybe PfSense has some logging facility, but I don't know how to use it.
You might give a look at that as well. |
|
Back to top |
|
|
Btoo n00b
Joined: 24 Sep 2008 Posts: 42 Location: An isolated island
|
Posted: Mon Jul 04, 2022 10:18 pm Post subject: |
|
|
Reviewing the logs is how I found it. My goal now is to find out what program is trying to make that connection.
I guess I should have made the topic Application Firewall?” |
|
Back to top |
|
|
Etal Veteran
Joined: 15 Jul 2005 Posts: 1931
|
Posted: Mon Jul 04, 2022 10:28 pm Post subject: |
|
|
You're probably looking for something like netstat -nap64. Edit: although if it's getting blocked you won't see it since it doesn't get established.
A more heavy-handed option might be worth looking at is dev-util/bpftrace, although I never used it myself: https://github.com/iovisor/bpftrace/blob/master/tools/tcpconnect_example.txt |
|
Back to top |
|
|
Etal Veteran
Joined: 15 Jul 2005 Posts: 1931
|
|
Back to top |
|
|
Btoo n00b
Joined: 24 Sep 2008 Posts: 42 Location: An isolated island
|
Posted: Mon Jul 04, 2022 10:46 pm Post subject: |
|
|
I did find that and attempted an install. It seems the ebuild is EAP 5, while my system is a higher version and not compatible. That is a whole new subject, one of which I haven’t paid much attention to (EAP).
Not sure I can get around that, maybe the ebuild could be upgraded?
Seems that I will have to look into it
Thanks |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4125 Location: Bavaria
|
Posted: Tue Jul 05, 2022 1:46 am Post subject: |
|
|
An old and cheap trick is:
Code: | watch -n <sec> lsof -i TCP:<dport> >> logfile |
(take 1 for <sec>) |
|
Back to top |
|
|
Btoo n00b
Joined: 24 Sep 2008 Posts: 42 Location: An isolated island
|
Posted: Tue Jul 05, 2022 4:03 am Post subject: |
|
|
Code: | watch -n <sec> lsof -i TCP:<dport> >> logfile |
That is a gem.
I will check these things out tomorrow and report back.
Thanks |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Tue Jul 05, 2022 7:36 am Post subject: |
|
|
I do prefer ss over netstatin the meanwhile. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4125 Location: Bavaria
|
Posted: Tue Jul 05, 2022 10:19 am Post subject: |
|
|
Btoo wrote: | I will check these things out tomorrow and report back. |
Please dont forget: It will work only if you have allowed outgoing traffic to tor in your personal firewall.
(I did these kind of checks by allowing ALL in my firewall AND pulling off my dsl-router from wan => to be offline in this time !) |
|
Back to top |
|
|
Btoo n00b
Joined: 24 Sep 2008 Posts: 42 Location: An isolated island
|
Posted: Wed Jul 06, 2022 12:58 am Post subject: |
|
|
Unfortunately now I have to wait for the attempted connection again as it rolled off my logs in PfSense, so I cannot check the port used.
I was successful installing OpenSnitch on another Gentoo box and found the following:
Zugaina lists OpenSnitch at their repository, but that is not the same git-hub repository as you pick when adding it to your repos.conf
OpenSnitch is available in Pentoo, added via "eselect-repository". It was news to me that layman is outdated. The "EAPI 5" error I had was using eix-update with layman.
eselect-repository seems a bit easier to manage than I remember using Layman.
So after adding ~amd64 to a couple of files for packages in package_accept_keywords/ OpenSnitch is installed and working on this other machine. On my main machine python3.10 is the issue right now. That needs to be fixed as there were all kinds of conflicts in python.
I will report back as I am using netstat -napc64 and ss -t -u -a -p
Thanks for the help |
|
Back to top |
|
|
|