(on 02/20/2020 at 7:34pm mountain time, Frank said)
Another suggestion, get Wireshark for sniffing traffic, run a sniffer trace as you are using the machine. You'll want to capture any IP (layer 3) traffic leaving or entering your machine (may want to setup filters to reduce capture size). This may be a way to start your analysis.
Disable any services (daemons) running on the machine that are not required with a listening port: sudo netstat -tulpn | grep LISTEN above will display listening ports This is at least a start
Except for the netstat command, that went over my head. I have no training in sysadmin and IT security. I'm a home user. I don't know how to do what you suggest, or what to look for in the output.
Output to the netstat command is the same as what I put in my earlier reply to Ed.
(my own idea) I tried wading through several thousand lines of journalctl output. I couldn't even find my 2 logins since the last boot (late this morning). I vaguely recall a few years ago stumbling onto large numbers of hack attempts noted in journalctl output, but I don't remember what to look for.