1 |
On Friday 20 Jan 2012 23:34:12 Grant wrote: |
2 |
> >>>> >> My firewall is blocking periodic outbound connections to port 3680 |
3 |
> >>>> >> on a Rackspace IP. How can I find out more about what's going on? |
4 |
> >>>> >> Maybe which program is generating the connection requests? |
5 |
> >>>> > |
6 |
> >>>> > Uh, a packet sniffer? |
7 |
> >>>> > |
8 |
> >>>> > I have an old laptop here that I have a second (cardbus) network |
9 |
> >>>> > card in. Really cheap and cheerful - the sort of thing you can pick |
10 |
> >>>> > up on freecycle. It's been a while since I've done anything like |
11 |
> >>>> > this, but you should be able to stick a box like that between the |
12 |
> >>>> > router and the rest of your network, run Wireshark and filter on |
13 |
> >>>> > that port. If the connection is encrypted then at least you'll see |
14 |
> >>>> > the originating IP. |
15 |
> >>>> |
16 |
> >>>> I've actually got the originating local IP from the shorewall log. |
17 |
> >>>> I'm just trying to figure out which program and maybe which user on |
18 |
> >>>> that system is generating the outbound requests to port 3680. Is |
19 |
> >>>> there any way to get more info without setting up a new box? |
20 |
> >>>> |
21 |
> >>>> > I don't think it's relevant that the IP belongs to Rackspace - don't |
22 |
> >>>> > they just hire (virtual) servers to anyone that wants one? |
23 |
> >>>> |
24 |
> >>>> Yeah I just meant the request could be going to "anyone". |
25 |
> >>>> |
26 |
> >>>> - Grant |
27 |
> >>> |
28 |
> >>> Are you running NPDS in your LAN and is it configured to access any |
29 |
> >>> sites on rackspace? |
30 |
> >>> -- |
31 |
> >>> Regards, |
32 |
> >>> Mick |
33 |
> >> |
34 |
> >> I am not running NPDS. I looked it up when I was researching port |
35 |
> >> 3680 and read about it for the first time. I know which machine is |
36 |
> >> making the requests. Any way to drill down further? |
37 |
> > |
38 |
> > If the machine is running linux, then 'watch "lsof -n|grep TCP|grep |
39 |
> > 3680"' as root is a sloppy but effective way to find it. There's |
40 |
> > probably some way to set up a firewall rule on the host in question |
41 |
> > that logs out the user and (possibly) PID of the connection, but I |
42 |
> > don't know. |
43 |
> |
44 |
> All of my systems run Gentoo. :) Where does watch come from? |
45 |
> |
46 |
> - Grant |
47 |
|
48 |
ps axf and look at the tree that contains the PID of what lsof | grep 3680 |
49 |
showed. |
50 |
-- |
51 |
Regards, |
52 |
Mick |