1 |
On Fri, Jan 20, 2012 at 6:34 PM, Grant <emailgrant@×××××.com> wrote: |
2 |
>>>>> >> My firewall is blocking periodic outbound connections to port 3680 on |
3 |
>>>>> >> a Rackspace IP. How can I find out more about what's going on? Maybe |
4 |
>>>>> >> which program is generating the connection requests? |
5 |
>>>>> > |
6 |
>>>>> > Uh, a packet sniffer? |
7 |
>>>>> > |
8 |
>>>>> > I have an old laptop here that I have a second (cardbus) network card in. |
9 |
>>>>> > Really cheap and cheerful - the sort of thing you can pick up on |
10 |
>>>>> > freecycle. It's been a while since I've done anything like this, but you |
11 |
>>>>> > should be able to stick a box like that between the router and the rest |
12 |
>>>>> > of your network, run Wireshark and filter on that port. If the |
13 |
>>>>> > connection is encrypted then at least you'll see the originating IP. |
14 |
>>>>> |
15 |
>>>>> I've actually got the originating local IP from the shorewall log. |
16 |
>>>>> I'm just trying to figure out which program and maybe which user on |
17 |
>>>>> that system is generating the outbound requests to port 3680. Is |
18 |
>>>>> there any way to get more info without setting up a new box? |
19 |
>>>>> |
20 |
>>>>> > I don't think it's relevant that the IP belongs to Rackspace - don't they |
21 |
>>>>> > just hire (virtual) servers to anyone that wants one? |
22 |
>>>>> |
23 |
>>>>> Yeah I just meant the request could be going to "anyone". |
24 |
>>>>> |
25 |
>>>>> - Grant |
26 |
>>>> |
27 |
>>>> Are you running NPDS in your LAN and is it configured to access any sites on |
28 |
>>>> rackspace? |
29 |
>>>> -- |
30 |
>>>> Regards, |
31 |
>>>> Mick |
32 |
>>> |
33 |
>>> I am not running NPDS. I looked it up when I was researching port |
34 |
>>> 3680 and read about it for the first time. I know which machine is |
35 |
>>> making the requests. Any way to drill down further? |
36 |
>> |
37 |
>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep |
38 |
>> 3680"' as root is a sloppy but effective way to find it. There's |
39 |
>> probably some way to set up a firewall rule on the host in question |
40 |
>> that logs out the user and (possibly) PID of the connection, but I |
41 |
>> don't know. |
42 |
> |
43 |
> All of my systems run Gentoo. :) Where does watch come from? |
44 |
|
45 |
shortcircuit@saffron ~ $ equery b `which watch` |
46 |
/usr/lib64/portage/pym/portage/package/ebuild/config.py:353: |
47 |
UserWarning: 'cache.metadata_overlay.database' is deprecated: |
48 |
/etc/portage/modules |
49 |
(user_auxdbmodule, modules_file)) |
50 |
* Searching for /usr/bin/watch ... |
51 |
sys-process/procps-3.2.8_p11 (/usr/bin/watch) |
52 |
shortcircuit@saffron ~ $ |
53 |
|
54 |
Incidentally, does anyone know why all my portage-related executions |
55 |
get that 'cache.metadata_overlay.database' warning? I've been seeing |
56 |
it for weeks, even on fresh installs. I would have assumed a bug like |
57 |
that would have been fixed by now. |
58 |
|
59 |
|
60 |
-- |
61 |
:wq |