Unwanted connection to Tor exit node from lan

Btoo

My Gentoo box tries to connect to a tor exit node.

Does someone have a strategy to figure out where, or what program is trying to do this?

I suppose I could use ntop and look for the IP.

An application firewall would be great and I have looked at trying to get Opensnitch installed but there is no ebuild for it. There is also Netcap, also no ebuild though.

Any ideas would be helpful!

Thanks

Leonardo.b · Apprentice Joined: 10 Oct 2020 Posts: 294

Btoo · Posted: Mon Jul 04, 2022 9:36 pm Post subject:

I think this because my PfSense firewall catches and rejects the outbound connection.

Netstat is okay, I will have to look into the man page to make it more useful.

Thanks

Leonardo.b · Apprentice Joined: 10 Oct 2020 Posts: 294

Maybe PfSense has some logging facility, but I don't know how to use it.
You might give a look at that as well.

Btoo · Posted: Mon Jul 04, 2022 10:18 pm Post subject:

Reviewing the logs is how I found it. My goal now is to find out what program is trying to make that connection.

I guess I should have made the topic Application Firewall?”

Etal · Veteran Joined: 15 Jul 2005 Posts: 1931

You're probably looking for something like netstat -nap64. Edit: although if it's getting blocked you won't see it since it doesn't get established.

A more heavy-handed option might be worth looking at is dev-util/bpftrace, although I never used it myself: https://github.com/iovisor/bpftrace/blob/master/tools/tcpconnect_example.txt

Etal · Veteran Joined: 15 Jul 2005 Posts: 1931

You can find an opensnitch ebuild in the pentoo overlay: https://gpo.zugaina.org/app-admin/opensnitch

Btoo · Posted: Mon Jul 04, 2022 10:46 pm Post subject:

I did find that and attempted an install. It seems the ebuild is EAP 5, while my system is a higher version and not compatible. That is a whole new subject, one of which I haven’t paid much attention to (EAP).

Not sure I can get around that, maybe the ebuild could be upgraded?
Seems that I will have to look into it

Thanks

pietinger · Posted: Tue Jul 05, 2022 1:46 am Post subject:

An old and cheap trick is:

Btoo · Posted: Tue Jul 05, 2022 4:03 am Post subject:

toralf · Posted: Tue Jul 05, 2022 7:36 am Post subject:

I do prefer ss over netstatin the meanwhile.

pietinger · Posted: Tue Jul 05, 2022 10:19 am Post subject:

Btoo · Posted: Wed Jul 06, 2022 12:58 am Post subject:

Unfortunately now I have to wait for the attempted connection again as it rolled off my logs in PfSense, so I cannot check the port used.

I was successful installing OpenSnitch on another Gentoo box and found the following:

Zugaina lists OpenSnitch at their repository, but that is not the same git-hub repository as you pick when adding it to your repos.conf

OpenSnitch is available in Pentoo, added via "eselect-repository". It was news to me that layman is outdated. The "EAPI 5" error I had was using eix-update with layman.

eselect-repository seems a bit easier to manage than I remember using Layman.

So after adding ~amd64 to a couple of files for packages in package_accept_keywords/ OpenSnitch is installed and working on this other machine. On my main machine python3.10 is the issue right now. That needs to be fixed as there were all kinds of conflicts in python.

I will report back as I am using netstat -napc64 and ss -t -u -a -p

Thanks for the help