[Novalug] Tracking connections

shawn wilson ag4ve.us@gmail.com
Tue Sep 10 16:16:26 EDT 2013


I'm trying to figure out what is making these connections:
root@midas:/etc/init.d# grep 'DST=91.189.89' /var/log/messages | sed -r
's/SRC=[^ ]+/SRC=x/' | head -1
Sep  8 08:00:37 midas kernel: [755934.477294] FW: output ACCEPT IN= OUT=eth0
SRC=x DST=91.189.89.134 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13017 DF
PROTO=TCP SPT=35947 DPT=443 SEQ=2951868270 ACK=0 WINDOW=14600 RES=0x00 SYN
URGP=0 UID=999 GID=1005

I changed the policy to a default drop and started dropping them, then
realized that, within that /24 are the apt repos. I'm perfectly fine
talking to Cononical, but I don't really want to be reporting to them (or
dialing home without my explicit permission). So, how do I track down what
is causing this connection to be made? Ie, I want a process name - maybe
even the head of a process tree, but just getting a process id is my issue
at this point:

(the general theme is that the connection is no longer present when I'm
looking for it)

lsof -i:443
(no socket)

ss -ep dst 91.189.89.0/24
(no socket)

auditctl -a exit,always -F arch=b64 -S socket -k SOCKET
ausearch -i -ts today -k SOCKET
(can't tell the difference between one connection from the other - ie, how
do I grep for the subnet?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20130910/f32cb432/attachment.htm>


More information about the Novalug mailing list