Bill, The pictures you shared look to me like very low amounts of data (2-6 kilobytes).This is going to be the standard networking which goes on with linux all the time.System and network-based services are reaching out to the router (gateway)periodically to verify connectivity and the like. I don't believe this is anything to worry about. -Joe

On Monday, November 30, 2020, 12:57:18 PM EST, home user mattisonw@comcast.net wrote:

Fedora-32 home workstation; gnome.

In ksysguard, I've been noticing internet activity that I can't explain.  This has been going on for weeks, and it's making me uncomfortable.

What I do: 1. After the system has been powered down overnight, I boot it up. 2. I sign in to a user account. 3. My .bash_profile sources my .bashrc, sets PATH, and launches xeyes.  My .bashrc sources /etc/bashrc, sets PS1 and PATH, and defines aliases. 4. I launch ksysguard, then Spectacle. 5. I wait several seconds, then take a screen-capture of ksysguard's display.

To get a good sample, I did five screen-captures.  Here are the google drive links to them: "https://drive.google.com/file/d/1EdlSgKY0fJpU7r3nbstWA7G_2C93gOgO/view?usp=s..." "https://drive.google.com/file/d/1jfocTMRnwguRdDIchoBtsNYYwQZr647i/view?usp=s..." "https://drive.google.com/file/d/1Tx3kDEMbL_TCZZ-F0YOVOXSy2D9G3MAM/view?usp=s..." "https://drive.google.com/file/d/157KU27QtsJTZghyRgeuafYSnvxR85im4/view?usp=s..." "https://drive.google.com/file/d/1AyZDRvcKYHYypNSU6AF9Fh34rh_l3q2J/view?usp=s..."

Notes: * neither Thunderbird nor any other e-mail client nor Firefox nor any other browser had been launched since powering up. * as far as I know, nothing else that uses the internet had been launched since powering up.  actually, the only things I had running were xeyes, ksysguard, Spectacle, and (in the last screen-shot only) gnome terminal (which was idle). * as far as I know, nothing is set to auto-update. * as far as I know, nothing has telemetry permission enabled.

Yet there is persistent, continual (not continuous) internet activity in both directions.  What is it?  What on my system is communicating with what externally, and what is being communicated?  Unauthorized updating?  Unauthorized telemetry?  Unauthorized distributed computing?  Spyware?  Crypto-currency mining?

This is way outside my knowledge and experience.  I need good step-by-step instructions on this.

Thank-you in advance. Bill. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

On Mon, 2020-11-30 at 17:57 +0000, home user wrote:

In ksysguard, I've been noticing internet activity that I can't explain. This has been going on for weeks, and it's making me uncomfortable.

Only one of your image links loaded for me, the browser just spent ages with the spinning circle. This one worked:

https://drive.google.com/file/d/1AyZDRvcKYHYypNSU6AF9Fh34rh_l3q2J/view

There's a whole pile of things that could be network activity, but you really want to do something like "netstat -atuevp" to see what, where, and who is involved in network traffic.

• as far as I know, nothing else that uses the internet had been

launched since powering up

Run "gnome-session-properties" and see what's enabled. There's often more than you need preconfigured to start, and turning off some junk can make logins quicker to complete.

Do you have apps that show you the weather, calendar appointments?

Is the clock using NTP to correct itself? Which is a good idea, by the way. At start-up it does a bit of checking, then it gathers data less often the longer it's running. Chrony is probably simpler, traffic- wise, but I found it unsuitable for machines that are left running.

You probably have Avahi/ZeroConf/Bonjour running, which looks for printers and other internet-of-things on your network. Likewise, if you have IOT gizmos at home, they're probably probing your computer, too.

On Mon, 2020-11-30 at 17:57 +0000, home user wrote:

Only one of your image links loaded for me, the browser just spent ages with the spinning circle. This one worked:

https://drive.google.com/file/d/1AyZDRvcKYHYypNSU6AF9Fh34rh_l3q2J/view

Ah-ha! So that's it. The villain is google! It's trying to keep us from figuring that out! (just kidding) I also found that the images took a while to show; I got that spinng wheel, too, but for all 5 images. I think they downloaded quickly, but they took a while to display. Clicking Firefox's reload seemed to help. (I also notice that yahoo pages take a long time to load and display.)

There's a whole pile of things that could be network activity, but you really want to do something like "netstat -atuevp" to see what, where, and who is involved in network traffic.

There must be something more needed. I get a snapshot, that's all. I probably need a report of a full minute of data.

Run "gnome-session-properties" and see what's enabled. There's often more than you need preconfigured to start, and turning off some junk can make logins quicker to complete.

I can't find that, not in the "Activities", not in the settings or tweak tools, not by command line. How do I launch it?

Do you have apps that show you the weather, calendar appointments?

I use the calendar that comes with Thunderbird. It is a private home calendar. It is not on the internet. As far as I know, no weather, other calendar, etc. apps are running on this work-station. They are on the system, but should not be running.

Is the clock using NTP to correct itself? Which is a good idea, by the way. At start-up it does a bit of checking, then it gathers data less often the longer it's running. Chrony is probably simpler, traffic- wise, but I found it unsuitable for machines that are left running.

How do I check that? And how do I change it? By the way, I power down every night; and power up every morning.

You probably have Avahi/ZeroConf/Bonjour running, which looks for printers and other internet-of-things on your network. Likewise, if you have IOT gizmos at home, they're probably probing your computer, too.

I could not find any of those in the ksysguard process table. By the way, my printer is powered up only when I print, which is rarely. I do not have any IOT gizmos. I have a modem, no router. No other computers connected to this work-station. All devices are connected to this work-station via hard connection (cable).

So how do I get network traffic data for a full minute? That seems like the best option to either establish that something bad is going on, or that Joe Wulf is correct.

On 01/12/2020 04:57, home user wrote:

How do I check that? And how do I change it? By the way, I power down every night; and power up every morning.

Along with watching the output of wireshark, you should run "netstat -atuevp" and see what connections are "established".

--- The key to getting good answers is to ask good questions.

(on Mon, 2020-11-30 at 18:37 +0000, Tim wrote)

...you really want to do something like "netstat -atuevp" to see

what, where,

and who is involved in network traffic.

(on Mon, 2020-11-30 at 21:03 +0000, Ed Greshko wrote)

Along with watching the output of wireshark, you should run "netstat

-atuevp"

and see what connections are "established".

I tried that as root after seeing Tim's suggestion.  I saw nothing useful in the output, so I did not post it.  My apologies for that.  I've re-ran it now as root.  The output is attached.

I've installed wireshark.  The man page is thousands of lines long.  Is there a good beginner-level tutorial for that?!

On 01/12/2020 07:47, home user wrote:

(on Mon, 2020-11-30 at 18:37 +0000, Tim wrote)

...

...you really want to do something like "netstat -atuevp" to see what, where, and who is involved in network traffic.

(on Mon, 2020-11-30 at 21:03 +0000, Ed Greshko wrote)

...

Along with watching the output of wireshark, you should run "netstat -atuevp" and see what connections are "established".

I tried that as root after seeing Tim's suggestion.  I saw nothing useful in the output, so I did not post it.  My apologies for that.  I've re-ran it now as root.  The output is attached.

I thought you said your system was "quiet"?

For your "network activity" issue the lines of interest are those which include "ESTABLISHED" as the state.

It shows both "thunderbird" and "firefox" are both running and connected to hosts.  So, one would expect some network activity.

I've installed wireshark.  The man page is thousands of lines long.  Is there a good beginner-level tutorial for that?!

https://www.wireshark.org/download/docs/user-guide.pdf%C2%A0%C2%A0%C2%A0 ?

--- The key to getting good answers is to ask good questions.

On 01/12/2020 08:18, home user wrote:

(on Mon, 2020-11-30 at 23:56 +0000, Ed wrote)

...

I thought you said your system was "quiet"?

For your "network activity" issue the lines of interest are those which include "ESTABLISHED" as the state.

It shows both "thunderbird" and "firefox" are both running and connected to hosts.  So, one would expect some network activity

When I opened the thread this morning (hours ago), my system was quiet.  When, several minutes ago, I did the netstat -atuevp whose output I attached to my reply to you and Tim, yes, Thunderbird and Firefox were running.

Shall I reboot and re-do the netstat before launching Thunderbird and Firefox?

Well, if you're interested to determine what is causing activity when the system is supposedly quite then yes.

Restart the system, wait a while, check your ksysguard as you did before and then check netstat and/or iftop.

FWIW, I look at this as a chance to learn "troubleshooting" techniques.  Nothing sinister is going on.

--- The key to getting good answers is to ask good questions.

On 12/1/20 1:18 AM, home user wrote:

(on Mon, 2020-11-30 at 23:56 +0000, Ed wrote)

...

I thought you said your system was "quiet"?

For your "network activity" issue the lines of interest are those which include "ESTABLISHED" as the state.

It shows both "thunderbird" and "firefox" are both running and connected to hosts.  So, one would expect some network activity

When I opened the thread this morning (hours ago), my system was quiet. When, several minutes ago, I did the netstat -atuevp whose output I attached to my reply to you and Tim, yes, Thunderbird and Firefox were running.

Check these packages' "Preferences->Privacy & Security" settings.

IIRC, Fedora's Mozilla packages have Mozilla's espionage (IMHO: mis-) features (aka. "telemetry", "data collection") enabled by default and therefore are phoning home under "the hood".

Ralf

(I sent this to the list three times in the past two days; it apparently never arrived, and it did not bounce.)

I rebooted, and did a few netstat's and an iftop while the workstation was "quiet". I pasted output from 2 netstat runs into a text file.

I paused the iftop display many times to grab line pairs of interest, and pasted those into the text file that has the netstat runs.

The text file is at the bottom of this message.

Most of the entries in the iftop display involve comcast, my internet service provider. Quite a few unexpected addresses also show up in iftop. A few questions come to mind...

A few years ago, I saw in the system journal numerous log-in attempts by outsiders from all over the world, and opened a thread about that. Now such attempts are blocked by the firewall. If an outsider tries to communicate with my workstation, and the firewall blocks the attempt, will the attempt show up in the network activity panel of ksysguard? Will that attempt show up in the iftop display?

Bill.

--------------- begin text file --------------- Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 coyote:domain 0.0.0.0:* LISTEN root 31188 1084/dnsmasq tcp 0 0 0.0.0.0:ipp 0.0.0.0:* LISTEN root 22447 947/cupsd tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN root 39031 1680/sendmail: acce tcp6 0 0 [::]:ipp [::]:* LISTEN root 22448 947/cupsd udp 0 0 0.0.0.0:mdns 0.0.0.0:* avahi 22058 748/avahi-daemon: r udp 0 0 coyote:domain 0.0.0.0:* root 31187 1084/dnsmasq udp 0 0 0.0.0.0:bootps 0.0.0.0:* root 31184 1084/dnsmasq udp 0 0 c-98-245-12-4.hs:bootpc denv01dhcp-ho-02:bootps ESTABLISHED root 29795 862/NetworkManager udp 0 0 localhost:323 0.0.0.0:* root 25199 763/chronyd udp 0 0 0.0.0.0:58501 0.0.0.0:* avahi 22060 748/avahi-daemon: r udp6 0 0 [::]:mdns [::]:* avahi 22059 748/avahi-daemon: r udp6 0 0 localhost:323 [::]:* root 25200 763/chronyd udp6 0 0 coyote:dhcpv6-client [::]:* root 30632 862/NetworkManager udp6 0 0 [::]:33746 [::]:* avahi 22061 748/avahi-daemon: r bash.5[~]: netstat -atuevp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 coyote:domain 0.0.0.0:* LISTEN root 31188 1084/dnsmasq tcp 0 0 0.0.0.0:ipp 0.0.0.0:* LISTEN root 22447 947/cupsd tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN root 39031 1680/sendmail: acce tcp6 0 0 [::]:ipp [::]:* LISTEN root 22448 947/cupsd udp 0 0 0.0.0.0:mdns 0.0.0.0:* avahi 22058 748/avahi-daemon: r udp 0 0 coyote:domain 0.0.0.0:* root 31187 1084/dnsmasq udp 0 0 0.0.0.0:bootps 0.0.0.0:* root 31184 1084/dnsmasq udp 0 0 c-98-245-12-4.hs:bootpc denv01dhcp-ho-02:bootps ESTABLISHED root 29795 862/NetworkManager udp 0 0 localhost:323 0.0.0.0:* root 25199 763/chronyd udp 0 0 0.0.0.0:58501 0.0.0.0:* avahi 22060 748/avahi-daemon: r udp6 0 0 [::]:mdns [::]:* avahi 22059 748/avahi-daemon: r udp6 0 0 localhost:323 [::]:* root 25200 763/chronyd udp6 0 0 coyote:dhcpv6-client [::]:* root 30632 862/NetworkManager udp6 0 0 [::]:33746 [::]:* avahi 22061 748/avahi-daemon: r bash.6[~]:

----- some captured iftop lines -----

c-98-245-12-4.hsd1.co.comcast.net => 172.86.179.85 0b 0b 15b <= 0b 0b 15b

c-98-245-12-4.hsd1.co.comcast.net => aksdefk.cn 0b 0b 15b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => ns570281.ip-51-161-12.net 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => 167.71.161.95 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => HOST.DNANUTRITIONCENTER.ORG 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => 45.129.33.180 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => 78.171.35.99.dynamic.ttnet.com.tr 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => 99-104-170-138.lightspeed.lsvlky.sbcglobal.net 0b 0b 15b <= 0b 0b 15b

c-98-245-12-4.hsd1.co.comcast.net => sarasvati.sattvik.com 0b 0b 15b <= 0b 0b 15b

c-98-245-12-4.hsd1.co.comcast.net => 80.82.68.29 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => 31.20.97.83.ro.ovo.sc 0b 54b 14b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => 121.23.133.254 272b 54b 14b <= 184b 37b 9b

coyote => proxy09.fedoraproject.org 0b 426b 107b <= 0b 625b 156b

c-98-245-12-4.hsd1.co.comcast.net => proxy13-rdu02.fedoraproject.org 0b 0b 83b <= 0b 0b 136b

c-98-245-12-4.hsd1.co.comcast.net => scanner-01.ch1.censys-scanner.com 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => zg-0915b-89.stretchoid.com 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => 138.99.216.104 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => 31.184.215.57 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => scanner.openportstats.com 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => ec2-13-229-78-217.ap-southeast-1.compute.amazonaws.com 0b 32b 8b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => 96.120.119.53 0b 0b 0b <= 0b 0b 150b

c-98-245-12-4.hsd1.co.comcast.net => www.arbor-observatory.com 0b 0b 0b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => zg-0915a-345.stretchoid.com 0b 54b 14b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => 203.166.213.199 0b 54b 14b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => scan-02a.shadowserver.org 0b 54b 14b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => worker-01.sfj.censys-scanner.com 0b 0b 14b <= 0b 0b 9b

c-98-245-12-4.hsd1.co.comcast.net => ip-113-42.4vendeta.com 0b 54b 14b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => no-mans-land.m247.com 0b 54b 14b <= 0b 37b 9b

c-98-245-12-4.hsd1.co.comcast.net => 109x194x3x165.static-customer.bryansk.ertelecom.ru 0b 54b 14b <= 0b 37b 9b

----- some ip address first fields -----

31 45 78 80 96 99 121 138 152 167 172 197 203 --------------- end text file ---------------

On 30 Nov 2020, at 17:57, home user mattisonw@comcast.net wrote:

3. My .bash_profile sources my .bashrc, sets PATH, and launches xeyes. My .bashrc sources /etc/bashrc, sets PS1 and PATH, and defines aliases.

Set PATH in your .bash_profile not .bashrc.

This is because if you set it in .bashrc you cannot override PATH for sub shells.

Barry

On Wed, 2020-12-02 at 16:09 +0000, home user wrote:

--------------- begin text file --------------- Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 coyote:domain 0.0.0.0:* LISTEN root 31188 1084/dnsmasq tcp 0 0 0.0.0.0:ipp 0.0.0.0:* LISTEN root 22447 947/cupsd tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN root 39031 1680/sendmail: acce tcp6 0 0 [::]:ipp [::]:* LISTEN root 22448 947/cupsd udp 0 0 0.0.0.0:mdns 0.0.0.0:* avahi 22058 748/avahi-daemon: r udp 0 0 coyote:domain 0.0.0.0:* root 31187 1084/dnsmasq udp 0 0 0.0.0.0:bootps 0.0.0.0:* root 31184 1084/dnsmasq udp 0 0 c-98-245-12-4.hs:bootpc denv01dhcp-ho-02:bootps ESTABLISHED root 29795 862/NetworkManager udp 0 0 localhost:323 0.0.0.0:* root 25199 763/chronyd udp 0 0 0.0.0.0:58501 0.0.0.0:* avahi 22060 748/avahi-daemon: r udp6 0 0 [::]:mdns [::]:* avahi 22059 748/avahi-daemon: r udp6 0 0 localhost:323 [::]:* root 25200 763/chronyd udp6 0 0 coyote:dhcpv6-client [::]:* root 30632 862/NetworkManager udp6 0 0 [::]:33746 [::]:* avahi 22061 748/avahi-daemon: r

If you look at the last column, you can see what's involved with those things: DNSmasq (your local DNS server), CUPSD (your local printer server), sendmail (your local mail server), AVAHI-DAEMON (part of your local networking, finding out your IP address, finding other things in your network), NETWORK MANAGER (handling your network), CHRONYD (your local time server managing your clock).

All normal stuff, although they're listening to any address, rather than only listening to local addresses. That could be tightened up for some things, at least. I see no reason for CUPS to listen outside of your LAN, for instance.

LANs are chatty, especially when you throw CUPS and mDNS into the mix. CUPS advertises itself, and looks for printers. AVAHI, etc., are always on the lookout for other things on your LAN. It's next to impossible to stop the LEDs blinking on your network port in a LAN.

And there's always going to be loads of DNS lookups while things are being used by you. When you browse a webpage, the page is made up of content dragged in from all over the place, text, graphics, scripts, etc., the browser has to find them. You can get the same kind of thing with HTML mail, too.

Regarding the other set of data with all the comcast addresses, I can't comment, as I have no idea what the data is in the adjacent columns. I hate programs which spew out data without titling what it is.

If, however, it is like Stan said (people scanning for exploitable ports within comcast), then my opinion is that you report that to comcast, and suggest that they either deal with their customers who are nefariously scanning their network, or fix their firewall to stop outsiders scanning their network. Either way, that's *their* job.

But first, confirm it is exploit scanning. I can't tell from the data you provided.

Looking at some of the domain names, I would have thought you'd logged this while you're using your web browser.

On 03/12/2020 00:02, home user wrote:

(I sent this to the list three times in the past two days; it apparently never arrived, and it did not bounce.)

I rebooted, and did a few netstat's and an iftop while the workstation was "quiet".  I pasted output from 2 netstat runs into a text file.

I paused the iftop display many times to grab line pairs of interest, and pasted those into the text file that has the netstat runs.

The text file is attached.

Most of the entries in the iftop display involve comcast, my internet service provider.  Quite a few unexpected addresses also show up in iftop.  A few questions come to mind...

A few years ago, I saw in the system journal numerous log-in attempts by outsiders from all over the world, and opened a thread about that.  Now such attempts are blocked by the firewall.  If an outsider tries to communicate with my workstation, and the firewall blocks the attempt, will the attempt show up in the network activity panel of ksysguard? Will that attempt show up in the iftop display?

Well, it is really difficult to determine the source of those small packets.

You may want to run iftop with -Pn to make sure the port numbers are listed.

Thing suchs as

c-98-245-12-4.hsd1.co.comcast.net    => no-mans-land.m247.com 0b     54b     14b

are meaningless without a port.  Also, if one does a lookup they would see...

[egreshko@meimei etc]$ host no-mans-land.m247.com Host no-mans-land.m247.com not found: 3(NXDOMAIN)

So, what is the real IP address of that hostname?  And how did your system come up with that name....

The best tool for this is "wireshark" and capturing network activity with filters on maybe one IP address which appears most often.

Also, go back and run "lastb" to make sure your firewall is actually blocking incoming logins.

It also makes things difficult for others to diagnose without a clear understanding of your network topology.  Is the host directly connected to the Internet with public IP addresses?  Running IPv4 and IPv6? Is the host behind a router and using NAT?  etc....

--- The key to getting good answers is to ask good questions.

On 12/2/20 8:11 PM, Ed Greshko wrote:

On 03/12/2020 00:09, home user wrote:

...

(I sent this to the list three times in the past two days; it apparently never arrived, and it did not bounce.)

I rebooted, and did a few netstat's and an iftop while the workstation was "quiet".  I pasted output from 2 netstat runs into a text file.

I think this would be easier for you to capture network traffic at this time......

With a quite system, open a terminal and as root use the following to capture some packets....

tcpdump -c 500 port 22 -w cap.pcap

This will capture 500 packets and then exit.  Post the cap.pcap file.

That will only capture ssh traffic. What if it's not that? Also, the capture file could contain some information that shouldn't be publicly shared.

On Thu, 2020-12-03 at 08:59 +0800, Ed Greshko wrote:

[egreshko@meimei etc]$ host no-mans-land.m247.com Host no-mans-land.m247.com not found: 3(NXDOMAIN)

So, what is the real IP address of that hostname?

m247.com comes up with a general cloud service website, perhaps the no- mans-land prefix is a deliberate dead-end used by some things to prevent out-of-network leakages?

A bit like how my DNS server is set to produce no-answer DNS lookups for things like doubleclick domain names, and other pests. It kills various snooping bugs on devices that you can't configure, like smart TVs.

On Thu, 2020-12-03 at 12:53 +0800, Ed Greshko wrote:

I suppose if one is paranoid about posting their ip addresses they may be concerned.

I tend to avoid that, because it just invites some people to have a go. However, in most posts to a mailing list your IP is in the mail headers.

I remember my early forays into the net. Almost any time you did a public post, you'd see a slew of connected attempts reported by the firewall, very shortly after. Bots watch public arenas, and just automatically tried to penetrate any addresses they thought were currently on-line.

On 03/12/2020 12:16, Samuel Sieb wrote:

Also, the capture file could contain some information that shouldn't be publicly shared.

OK....  Let me try to make it "easier" for the OP to use this particular "process of elimination". Meaning, eliminate brute force ssh attacks as the source of "mysterious internet activity".

I used tcpdump to collect a small amount of packets using

tcpdump -c 50 port 22 -w /tmp/cap.pcap

It is a small file and I hope it makes it through with this message.

The OP can start wireshark and "open" this file to display what went on and compare it with what they may collect on their system.

The first packet is the SYN packet from 139.199.228.133 (An IP address assigned to China). So, it confirms the start of the exchange comes from an external source. Packets 1~28 shows the failed exchange.

Packet 29 is the start of another attempt from a different IP, 58.218.198.153, another IP from China.

--- The key to getting good answers is to ask good questions.

My posts to this list were apparently not reaching the list for a couple of days. This was fedora infrastructure issue 9509. It's fixed. Since the fix, I've been buried in personal business. I now have some time to get back to this problem.

Prior to opening this thread, I did try digging in on my own. * I checked Firefox and Thunderbird settings to see if telemetry is disabled. They were. I just re-checked. They still are. * I ran "last" and "lastb". nothing suspicious. * I tried googling how to detect cryptominers in linux. spooky findings!

One article (now I can't find it) reported some cryptominers are made to reduce the odds of being detected by doing their processing at low levels, and do their internet communication at very low and pseudo-periodic levels. That does to me look like the screen-captures that I provided links to in my initial post. I've read (now I can't find it) that some cryptominers use the GPU rather than the CPU. I don't know of a tool to monitor the GPU other than temperature and overall utilization. I found these two articles: "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-thr..." "https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-preve..." I did not fully understand them, but I got the sense that I should get help and not try to tackle this on my own. Finding and removing cryptominers can be very difficult.

I was asked about this system. * comcast(my ISP) connected via metal wire cable to Arris phone modem connected via ethernet cable (yellow) to the workstation tower port. * no routers. * trackball, printer, and mouse connected to the tower via USB2 cables. * HP laser printer connected via USB2 cable to the tower. But the printer is almost always powered off. * a pair of small speakers connected via metal cable to the sound card that's in the tower. * a pair of Dell 27-inch LCD monitors connected to the NVIDIA graphics card that's in the tower. That's all.

A few years ago, I found numerous journal entries reporting outside attempts at logging in to my workstation from around the world. With serious help from members of this list, the firewall(?) was adjusted. I've done nothing since to change that.

I understand that comcast, modem, and workstation would check in with each other from time to time, but so often as appears in ksysguard?

The man page for wireshark is thousands of lines long, and the users guide that Ed pointed me to is almost 300 pages long. It will take many days for me to figure that out. I'll need someone to coach me through. Firewall tools are also unfamiliar to me. How I did what I did a few years ago are forgotten.

sshd is blocked: -bash.1[~]: systemctl status sshd ● sshd.service Loaded: masked (Reason: Unit sshd.service is masked.) Active: inactive (dead) -bash.2[~]:

My apologies for a couple day of silence. I will start going back through everyone's posts thoroughly, trying the quick and easy things, and responding. Then I'll do your big suggestions. This make take a few days.

On 12/3/20 11:40 AM, home user wrote:

I did not fully understand them, but I got the sense that I should get help and not try to tackle this on my own. Finding and removing cryptominers can be very difficult.

It's also extremely unlikely that you have something like that.

I was asked about this system.

• comcast(my ISP) connected via metal wire cable to Arris phone modem connected via ethernet cable (yellow) to the workstation tower port.
• no routers.

If your computer is directly connected to the internet, then there is always going to be some level of network noise happening. I'm surprised at how low it looks from your charts. Even if your computer is not doing anything, there are all sorts of scanning going on and probably ARP requests from the upstream gateway, etc.

Is your computer's IP address in the 192.168.* or 10.* ranges? If not, then you're directly connected. Since you mentioned seeing login attempts before, you most likely are.

On 2020-12-03 19:40, home user wrote:

I was asked about this system.

• comcast(my ISP) connected via metal wire cable to Arris phone modem

connected via ethernet cable (yellow) to the workstation tower port.

Yellow? Is that safe? (Joke.)

Sometimes what users think is just a "modem" also contains a small router and enough of a firewall to do NAT. Sometimes (as with my cable-tv vendor broadband in the UK) the user can, as I have, elect to use the "modem" in modem-only mode (which is to say I've turned off the router/firewall part) and use a separate router/firewall one step further into my network.

Do you have any idea if your "modem" is just-a-modem, or more than that?

Eg if you've ever logged-in to it, does it have firewall-ish functions?

Do you know the model-number of the modem?

In gnome, I click the little network? symbol in the upper right corner of the display, just left of the speaker symbol. In the little box that comes up, from top to bottom, there is * a volume slider, * "Wired Connected >", * "Settings >", and * "Power Off / Log Out >". I click the "Wired Connected >". That brings up a submenu of 4 choices: * "em1", * "Profile 1", * Turn Off", and * "Wired Settings". I pick "Wired Settings". Here are the results: "https://drive.google.com/file/d/199uu5j7s-xsPyGR-8HEWksenMBHMP-rU/view?usp=s...". It's a screen capture. So I'm directly connected?

On 12/3/20 2:01 PM, Ed Greshko wrote:

On 04/12/2020 05:04, Samuel Sieb wrote:

...

Is your computer's IP address in the 192.168.* or 10.* ranges?  If not, then you're directly connected.  Since you mentioned seeing login attempts before, you most likely are.

You forgot the less common 172.16.0.0 – 172.31.255.255 range.

I didn't forget it, I didn't want to look it up. :-) I've never seen anyone use that one.

On 12/3/20 5:31 PM, Samuel Sieb wrote:

You will need to add your user to the "wireshark" group: sudo usermod -a -G wireshark username Then logout and log back in.  Run wireshark.  There should be a list of interfaces.  Double click on your ethernet one.

When I "opened" the cap.pcap that Ed sent out, that started wireshark. So apparently dnf took care of the wireshark group for me. But when I run wireshark directly, I do not see an ethernet interface. I see these four: * Cisco remote capture: ciscodump * systemd Journal Export: sdjournal * SSH rempte capture: sshdump * UDP Listener remote capture: udpdump

On 12/3/20 5:28 PM, home user wrote:

On 12/3/20 5:31 PM, Samuel Sieb wrote:

...

You will need to add your user to the "wireshark" group: sudo usermod -a -G wireshark username Then logout and log back in.  Run wireshark.  There should be a list of interfaces.  Double click on your ethernet one.

When I "opened" the cap.pcap that Ed sent out, that started wireshark. So apparently dnf took care of the wireshark group for me.  But when I

No, you don't need that group to run wireshark, you need it to access the network interfaces.

run wireshark directly, I do not see an ethernet interface.  I see these four:

• Cisco remote capture: ciscodump
• systemd Journal Export: sdjournal
• SSH rempte capture: sshdump
• UDP Listener remote capture: udpdump

That's because you aren't in that group.

On 12/3/20 5:34 PM, home user wrote:

On 12/2/20 9:11 PM, Ed Greshko wrote:

...

I think this would be easier for you to capture network traffic at this time......

With a quite system, open a terminal and as root use the following to capture some packets....

tcpdump -c 500 port 22 -w cap.pcap

This will capture 500 packets and then exit.  Post the cap.pcap file.

I done it.  But after 35+ minutes, I terminated it.  The resulting cap.pcap is attached.  If you want something else/more, let me know.  I don't understand much of what I see in wireshark.  What I gather is:

• 3 packets were captured.
• the third was a tcp from 162.142.125.30 to 24.128.103.197.  whois

claims it's from Ann Arbor, Michigan to 24.128.103.197, Based on what I sent to Samuel a little while ago, the destination ip address is actually me.  The "info" column and the bottom part of the display (hexadecimal) make no sense to me.

The first packet is strange, not sure why the other end is sending you a reset, but possibly that's it giving up trying to connect.

I wouldn't really expect you to understand much of the details, but the last two lines of the middle info are the most useful to you:

Internet Protocol Version 4, Src: 162.142.125.30, Dst: 24.128.103.197

The other end is at 162.142.125.30.

Transmission Control Protocol, Src Port: 57473, Dst Port: 22, Seq: 0,

Len: 0

It's a connection to your ssh port (22). In the top section, you'll see the packet is marked with [SYN], that means it's a connection attempt.

Why is the first entry (from the Netherlands) in the top part highlighted red?

Probably because it's a RST (connection reset) packet. Those packets show that your firewall is doing its job and blocking the incoming connections.

On 04/12/2020 10:51, home user wrote:

J. Witvliet responded to my original post, but his response showed up in the list as a new thread. I'm responding here.

(on Dec. 01, 2020 at 02:35am US mountain time, J. Witvliet wrote)

...

What puzzles me, is that you don’t refer to the firewall. It’s the firewall responsibility to block unexpected incoming, but also outgoing traffic. Often people trust all outgoing traffic on 443 and 80 (and corresponding replies), but you can initially LOG it all, and subsequently change your rules to DROP all you don’t want to see. (Before logging the uncaught)

Please suggest what commands to run to check that what should be blocked is blocked. We already do know that sshd is blocked.

I believe the firewall on your system is already dropping all incoming connection requests.

Provide the output of....

sudo firewall-cmd --get-active-zones

and then using the result from that command

sudo firewall-cmd --info-zone=whatever-was returned.

Example....

[egreshko@f32k ~]$ sudo firewall-cmd --get-active-zones public   interfaces: enp1s0

[egreshko@f32k ~]$ sudo firewall-cmd --info-zone=public public (active)   target: default   icmp-block-inversion: no   interfaces: enp1s0   sources:   services: dhcpv6-client mdns mountd nfs nfs3 rpc-bind ssh   ports:   protocols:   masquerade: no   forward-ports:   source-ports:   icmp-blocks:   rich rules:

--- The key to getting good answers is to ask good questions.

This afternoon, I did some more experimenting.  As at first, I booted up.  I then logged in, but this time as root.  I did *not* launch Thunderbird (or any other e-mail client) or Firefox (or any other browser) or anything else that I know uses the internet.  So the workstation should be "quiet".  I launched ksysguard and a terminal.  In the terminal, I ran "iftop -Pn" (as suggested by Ed). I did a several screen captures.  I put the screen shots into a folder on the google drive.  The link to the folder is: "https://drive.google.com/drive/folders/18Vul5cD8JUTLJm3lCsZEOWUuPTuyiSDp?usp...". Comments/questions on the 11 screenshots (please focus on the starred one):

* Screenshot_20201203_135358.png This shows a cluster of activity centered slightly left of the word "Swap" at the bottom of the display.  The display covers about 2.5 minutes (= 150 seconds).  That cluster of network activity lasted about 16 seconds.  I also notice a CPU spike during that cluster of network activity.  I've seen this a few times before, at times when I expect no network activity and no significant CPU activity.

Screenshot_20201203_140607.png In "iftop -Pn", what got my attention most is the third entry. Also "rrac", "ogs-server", "eserver-pap".  Are these ssh attempts that the firewall did/will reject?  Are all the lines that contain "tivoconnect" the workstation, the modem, and/or comcast "keeping in touch"?

Screenshot_20201203_141021.png In "iftop -Pn", "telnet", "ftps", "aritts", "emcrmird".

Screenshot_20201203_141440.png In "iftop -Pn","octopus"

Screenshot_20201203_141621.png In "iftop -Pn", "afs3-errors".  Also, "...:dead:beef:cafe:..." is back (3rd line in the first iftop).

Screenshot_20201203_141753.png In "iftop -Pn", "ms-v-worlds".

Screenshot_20201203_141851.png In "iftop -Pn", "zenginkyo-2".

* Screenshot_20201203_141953.png * Screenshot_20201203_142005.png The first is in "iftop -Pn", "scp-config", "https", "oob-ws-http". The second shows a cluster of activity slightly left of the word "Swap" at the bottom of the display.  That cluster of network activity lasted about 8 seconds. The first screen shot was taken while the cluster of network activity in the second screen shot was showing up.

Screenshot_20201203_142342.png In "iftop -Pn", "winfs", "etlservicemgr".

* Screenshot_20201203_144432.png This shows a cluster of activity centered slightly left of the word "Swap" at the bottom of the display.  That cluster of network activity lasted about 12 seconds.  I also notice wave of CPU activity (yellow, then green) just after that cluster of network activity.  I've seen this a few times before, at times when I expect no network activity and no significant CPU activity.  (By the way, those two red CPU spikes are also suspicious.)

It is the three clusters of network activity that mainly concern me.  What is going on?  What specific steps can I do to determine what these are?

One more thing.  Go back to the first screen shot in my original post: "https://drive.google.com/file/d/1EdlSgKY0fJpU7r3nbstWA7G_2C93gOgO/view?usp=s... https://drive.google.com/file/d/1EdlSgKY0fJpU7r3nbstWA7G_2C93gOgO/view?usp=sharing". Notice that tall network activity spike near the left end of the screen capture.  I can't yet fully confirm it, but that seems to happen seconds after the first launch of ksysguard on a given day.  I've seen this many times.  What's going on?

On 04/12/2020 12:59, home user wrote:

On 12/3/20 8:10 PM, Ed Greshko wrote:

...

I believe the firewall on your system is already dropping all incoming connection requests.

Provide the output of....

sudo firewall-cmd --get-active-zones

and then using the result from that command

sudo firewall-cmd --info-zone=whatever-was returned.

-bash.1[~]: firewall-cmd --get-active-zones libvirt   interfaces: virbr0 public   interfaces: eno1 -bash.2[~]: firewall-cmd --info-zone=libvirt libvirt (active)   target: ACCEPT   icmp-block-inversion: no   interfaces: virbr0   sources:   services: dhcp dhcpv6 dns ssh tftp   ports:   protocols: icmp ipv6-icmp   masquerade: no   forward-ports:   source-ports:   icmp-blocks:   rich rules:     rule priority="32767" reject

The virbr0 interface is the interface between your system and any qemu/kvm Virtual Machines you deploy.  This is an "internal" interface not connected directly to the Internet.

-bash.3[~]: firewall-cmd --info-zone=public public (active)   target: default   icmp-block-inversion: no   interfaces: eno1   sources:   services: dhcpv6-client mdns   ports:   protocols:   masquerade: no   forward-ports:   source-ports:   icmp-blocks:   rich rules: -bash.4[~]:

eno1 is your Internet connection and is directly connected from your system to the Arris TM8222G modem.  The only services which are allowed to make incoming connections are dhcpv6-client and mdns. All other incoming connection requests will be dropped by the firewall.

You most likely don't need mdns (Multicast DNS) and can delete that service.  You *may* need dhcpv6-client to properly configure your IPv6 automatically when the system starts.

To address your other post containing all the Screen shots....

As already noted, this traffic is being seen at the interface before being acted upon by the firewall.  So, all the screen shots show packets arriving on the interface but which will be dropped by the firewall.  Thus, they are all irrelevant.

If you want to know more about the "services" shown in the screen shots one way to do it is lookup the service in /etc/services.

[egreshko@meimei ~]$ grep tivoconnect /etc/services tivoconnect     2190/tcp                # TiVoConnect Beacon tivoconnect     2190/udp                # TiVoConnect Beacon

And then google the description, in this case "TiVoConnect Beacon". Learn, for example, http://tivopod.sourceforge.net/tivoconnect.pdf and see that it is a broadcast protocol used by TiVo devices.

You may see some spikes in CPU usage if a flurry of connection requests arrives and the filrewall goes through its process to drop them.

--- The key to getting good answers is to ask good questions.

On 12/3/20 10:57 PM, Ed Greshko wrote:

The virbr0 interface is the interface between your system and any qemu/kvm Virtual Machines you deploy.  This is an "internal" interface not connected directly to the Internet.

I've never heard of this. I'm not sure, but this seems like something I don't use, at least not explicitly. Is this something that I can remove from the system, or at least turn off (so it won't use CPU), Or is this "under the hood" of things I do use?

...

-bash.3[~]: firewall-cmd --info-zone=public public (active)   target: default   icmp-block-inversion: no   interfaces: eno1   sources:   services: dhcpv6-client mdns   ports:   protocols:   masquerade: no   forward-ports:   source-ports:   icmp-blocks:   rich rules: -bash.4[~]:

[... snip ...] You most likely don't need mdns (Multicast DNS) and can delete that service.  You *may* need dhcpv6-client to properly configure your IPv6 automatically when the system starts.

How do I delete a service (mdns)?

To address your other post containing all the Screen shots.... [... snip ...] If you want to know more about the "services" shown in the screen shots one way to do it is lookup the service in /etc/services.

[egreshko@meimei ~]$ grep tivoconnect /etc/services tivoconnect     2190/tcp                # TiVoConnect Beacon tivoconnect     2190/udp                # TiVoConnect Beacon

And then google the description, in this case "TiVoConnect Beacon". Learn, for example, http://tivopod.sourceforge.net/tivoconnect.pdf and see that it is a broadcast protocol used by TiVo devices.

I got the same results.

If I understood you and that pdf file correctly, tivoconnect has nothing to do with watching youtube videos or online streaming (such as Viki, Rakuten, or Zoom). I think I don't use this either. But tivoconnect sure shows up a lot in both columns. Is there something I should remove from the system (via dnf), or shut off?

Someone in this thread suggested that outgoing traffic should be examined as well as incoming. That does make sense to me. The firewall-cmd commands I did: did those look at both incoming and outgoing, or just incoming?

On 05/12/2020 11:44, home user wrote:

On 12/3/20 10:57 PM, Ed Greshko wrote:

...

The virbr0 interface is the interface between your system and any qemu/kvm Virtual Machines you deploy.  This is an "internal" interface not connected directly to the Internet.

I've never heard of this.  I'm not sure, but this seems like something I don't use, at least not explicitly.  Is this something that I can remove from the system, or at least turn off (so it won't use CPU),  Or is this "under the hood" of things I do use?

If you have no idea about it, you're not using it and probably never will.

So, you can just....

sudo systemctl --now disable libvirtd

Without the "--now" you'd have to reboot for this to take effect.

...

You most likely don't need mdns (Multicast DNS) and can delete that service.  You *may* need dhcpv6-client to properly configure your IPv6 automatically when the system starts.

How do I delete a service (mdns)?

Along with "systemctl --now disable avahi-daemon"  You should also remove that service from the firewall.

sudo firewall-cmd --permanent --zone=public --remove-service=mdns sudo firewall-cmd --reload

...

To address your other post containing all the Screen shots.... [... snip ...] If you want to know more about the "services" shown in the screen shots one way to do it is lookup the service in /etc/services.

[egreshko@meimei ~]$ grep tivoconnect /etc/services tivoconnect     2190/tcp                # TiVoConnect Beacon tivoconnect     2190/udp                # TiVoConnect Beacon

And then google the description, in this case "TiVoConnect Beacon". Learn, for example, http://tivopod.sourceforge.net/tivoconnect.pdf and see that it is a broadcast protocol used by TiVo devices.

I got the same results.

If I understood you and that pdf file correctly, tivoconnect has nothing to do with watching youtube videos or online streaming (such as Viki, Rakuten, or Zoom).  I think I don't use this either.  But tivoconnect sure shows up a lot in both columns.  Is there something I should remove from the system (via dnf), or shut off?

Let me try this again.

These packets are *not* being generated by your system.  They are being "broadcast* by a device on the same subnet as your system is.  So, another customer of Comcast has a TiVo box and it is broadcasting to find other TiVo devices.  All systems on that subnet will get the broadcast packets.

You *can't* stop them from doing this.  All you can do is "ignore" them .... which is what you system is doing since it is dropping all packets as they arrive.

Someone in this thread suggested that outgoing traffic should be examined as well as incoming.  That does make sense to me.  The firewall-cmd commands I did: did those look at both incoming and outgoing, or just incoming?

For a single user system like I think you have, there isn't any value in doing that.  You're more than likely to unintentionally break things.

--- The key to getting good answers is to ask good questions.

On 12/4/20 9:08 PM, Ed Greshko wrote:

...

I've never heard of this.  I'm not sure, but this seems like something I don't use, at least not explicitly.  Is this something that I can remove from the system, or at least turn off (so it won't use CPU), Or is this "under the hood" of things I do use?

If you have no idea about it, you're not using it and probably never will.

So, you can just....

sudo systemctl --now disable libvirtd

Without the "--now" you'd have to reboot for this to take effect.

hmmm... Samuel beat you to it. I'll very soon be shutting down for the night anyway.

...

...

You most likely don't need mdns (Multicast DNS) and can delete that service.  You *may* need dhcpv6-client to properly configure your IPv6 automatically when the system starts.

How do I delete a service (mdns)?

Along with "systemctl --now disable avahi-daemon"  You should also remove that service from the firewall.

sudo firewall-cmd --permanent --zone=public --remove-service=mdns sudo firewall-cmd --reload

Samuel beat you on this systemctl command too. -bash.4[~]: firewall-cmd --permanent --zone=public --remove-service=mdns success -bash.5[~]: firewall-cmd --reload success -bash.6[~]:

...

If I understood you and that pdf file correctly, tivoconnect has nothing to do with watching youtube videos or online streaming (such as Viki, Rakuten, or Zoom).  I think I don't use this either.  But tivoconnect sure shows up a lot in both columns.  Is there something I should remove from the system (via dnf), or shut off?

Let me try this again.

These packets are *not* being generated by your system.  They are being "broadcast* by a device on the same subnet as your system is.  So, another customer of Comcast has a TiVo box and it is broadcasting to find other TiVo devices.  All systems on that subnet will get the broadcast packets.

You *can't* stop them from doing this.  All you can do is "ignore" them .... which is what you system is doing since it is dropping all packets as they arrive.

Actually, I misread my screen captures. (They are not easy to read.) I thought tivoconnect traffic was going both ways, not just incoming. That would imply there was something on my workstation doing the sending. Seeing what you said above, I re-examined the screenshots. I see there is nothing outgoing relating to tivoconnect.

...

Someone in this thread suggested that outgoing traffic should be examined as well as incoming.  That does make sense to me.  The firewall-cmd commands I did: did those look at both incoming and outgoing, or just incoming?

For a single user system like I think you have, there isn't any value in doing that.  You're more than likely to unintentionally break things.

ok.

There are few lesser things mentioned by others who posted to this thread. I hope to address those tomorrow.

On 12/4/20 10:45 PM, Ed Greshko wrote:

[... snip ...]

...

...

So, you can just....

sudo systemctl --now disable libvirtd

Without the "--now" you'd have to reboot for this to take effect.

hmmm...  Samuel beat you to it.  I'll very soon be shutting down for the night anyway.

I was unaware of being in any competition.

I read the other reply and saw no mention of using the --now parameter. So, maybe there was some added value?

The first part was intended to be taken somewhat humorously. Yes, you had the --now, Samuel didn't; you added value. But I had already done what he suggested before your post arrived, and in several minutes would be shutting down for the night. So I wasn't going to re-enter the command with the --now.

...

[... snip ...]

...

Samuel beat you on this systemctl command too. -bash.4[~]: firewall-cmd --permanent --zone=public --remove-service=mdns success -bash.5[~]: firewall-cmd --reload success -bash.6[~]:

Are there prizes for being the quickest to respond.  :-) :-)

It wouldn't be a fair contest since Samuel is one time zone away and you're 15 time zones away (if I remember correctly, and neither of you has moved). :)

...

There are few lesser things mentioned by others who posted to this thread.  I hope to address those tomorrow.

I pretty much think this topic has been totally addressed and feel there really is no need to go about tilting at windmills.

Strange expression. Haven't heard it before. I'll have to ask those Dutch organists that I frequently like to watch perform on youtube what that means.

:-)

On 12/5/20 2:53 PM, home user wrote:

On 12/4/20 10:45 PM, Ed Greshko wrote:

...

I pretty much think this topic has been totally addressed and feel there really is no need to go about tilting at windmills.

Strange expression.  Haven't heard it before.  I'll have to ask those Dutch organists that I frequently like to watch perform on youtube what that means.

Google would have told you right away: Don Quixote

I haven't read the book, but I'm aware of the expression. Now I'm curious and will have to ask around to see how generally well-known it is.

On Sat, 5 Dec 2020 19:28:15 -0700 home user wrote:

and the outgoing is the firewall's rejections

I'm no expert, but I believe the firewall can be set to utterly ignore things it blocks rather than sending a rejection. Generally this is more useful for things connected to the internet at large since you'll just get random probes rather than torrential attacks once they figure out there is something there they can try to break into.

Very much like the difference between ignoring spam and replying to it :-).

On 12/5/20 4:46 PM, Samuel Sieb wrote:

Google would have told you right away: Don Quixote

I haven't read the book, but I'm aware of the expression.  Now I'm curious and will have to ask around to see how generally well-known it is

It's still well-known 400 years after it was published.

On 12/5/20 9:24 PM, Samuel Sieb wrote:

...

...

and the outgoing is the firewall's rejections

I'm no expert, but I believe the firewall can be set to utterly ignore things it blocks rather than sending a rejection. Generally this is more useful for things connected to the internet at large since you'll just get random probes rather than torrential attacks once they figure out there is something there they can try to break into.

The default for firewalls is to drop packets instead of rejecting them.  Rejecting sends an ICMP packet back saying the connection wasn't allowed.

How do I check what is actually happening?

If the firewall is sending the ICMP packets, then how do I change it so it merely drops the packets?

On 06/12/2020 12:49, home user wrote:

On 12/5/20 9:24 PM, Samuel Sieb wrote:

...

...

...

and the outgoing is the firewall's rejections

I'm no expert, but I believe the firewall can be set to utterly ignore things it blocks rather than sending a rejection. Generally this is more useful for things connected to the internet at large since you'll just get random probes rather than torrential attacks once they figure out there is something there they can try to break into.

The default for firewalls is to drop packets instead of rejecting them.   Rejecting sends an ICMP packet back saying the connection wasn't allowed.

How do I check what is actually happening?

wireshark.  :-) :-)

If the firewall is sending the ICMP packets, then how do I change it so it merely drops the packets?

If you want to make your system "invisible" and won't be running any services you should simply change the zone of your internet interface from "public" to "drop".

firewall-cmd --permanent --zone=drop --change-interface=eno1 firewall-cmd --reload

Then, if someone from the outside world attempt to ssh to your system.....

[egreshko@meimei ~]$ ssh 192.168.122.26 ^C

No indication and I did a ctrl-C to kill the attempt.  I think it would have eventually timed out.

--- The key to getting good answers is to ask good questions.

On Thu, 3 Dec 2020 at 06:00, Ed Greshko ed.greshko@greshko.com wrote:

[...] I can't think of anyone that would go through the trouble of unpacking pcap output to find IP addresses they could attack. They either farm IP addresses from emails, dns queries, or just plain find blocks of IP addresses to attack.

To this observation, add the fact that I have a few systems which are "open" for the express purpose of cataloging where ssh attacks are sourced. The systems I have are both IPv4 and IPv6. All attacks have been against IPv4. In over a year of these systems supporting IPv6 there have been Zero attacks on those addresses.

As more systems use IPv6, bad actors will have to collect active IPv6 addresses. You may be one of the first to see that start.

On 07/12/2020 03:43, George N. White III wrote:

On Thu, 3 Dec 2020 at 06:00, Ed Greshko <ed.greshko@greshko.com mailto:ed.greshko@greshko.com> wrote:

[...]  I can't think of anyone that would go through the
trouble of unpacking pcap output to find IP addresses they could attack.  They either
farm IP addresses from emails, dns queries, or just plain find blocks of IP addresses
to attack.

To this observation, add the fact that I have a few systems which are "open" for the
express purpose of cataloging where ssh attacks are sourced.  The systems I have
are both IPv4 and IPv6.  All attacks have been against IPv4.  In over a year of these
systems supporting IPv6 there have been Zero attacks on those addresses.

As more systems use IPv6,  bad actors will have to collect active IPv6 addresses.  You may be one of the first to see that start.

Oh, I think it is also worth noting that in over one year of collecting data on brute force ssh attempts the "attackers" never once used, except for root, a username which actually exists on the system.

--- The key to getting good answers is to ask good questions.

On 12/5/20 11:20 PM, Ed Greshko wrote:

If you want to make your system "invisible" and won't be running any services you should simply change the zone of your internet interface from "public" to "drop". firewall-cmd --permanent --zone=drop --change-interface=eno1 firewall-cmd --reload

-bash.1[~]: firewall-cmd --permanent --zone=drop --change-interface=eno1 The interface is under control of NetworkManager, setting zone to 'drop'. success -bash.2[~]: firewall-cmd --reload success -bash.3[~]:

I spent some time in the firewall-cmd man page trying to figure this out. It's over my head. Back in the '70s, I tried in 3 separate computer science courses to learn "lisp". I failed. I don't know which is harder: firewalls and network management, or lisp! I'm going back to thinking of a firewall as that part of my ol' jalopy that separates me (in the driver's seat) from the engine compartment! :)

Then, if someone from the outside world attempt to ssh to your system.....

[egreshko@meimei ~]$ ssh 192.168.122.26 ^C

No indication and I did a ctrl-C to kill the attempt.  I think it would have eventually timed out.

(Don Quixote)

Is Don Quixote available as an English-language movie?

Thank-you, Ed, for the firewall-cmd commands above. Bill.

On 07/12/2020 11:11, Tim via users wrote:

On Sun, 2020-12-06 at 15:43 -0400, George N. White III wrote:

...

As more systems use IPv6, bad actors will have to collect active IPv6 addresses. You may be one of the first to see that start.

I have to wonder how that's going to go. With IPv4 most people were behind NAT (which isn't a firewall but does get in the way of external traffic). IPv6 is supposed to aid us in not needing to do NAT anymore, so more things could be directly addressable from the outside world. A nd understanding IPv6 addresses is more complicated.

On the subject of "collect active IPv6 addresses", that is rather a complicated issue.

Unlike IPv4 and DHCP deployment by ISPs which tend to result in the same IP address being assigned to users.  I've noticed that ISPs tend to use IPv6 Stateless Address Autoconfiguration (rfc4862). If you check the email headers from home_user you'd see that he has a different IPv6 address on different days.

His ISP is Comcast and the IPv6 address space they have is 2001:558:6040::/48.  That address space has 1208925819614629174706176 addresses.  Of course the ISPs will segment this address space so the address space in a user's area will be less, but not insignificant.

I happen to have contracted with my ISP for fixed IPv4 and IPv6 addresses.  The address space assigned to me for IPv6 is 2001:b030:112f:0000::/56 or 4722366482869645213696 addresses. I've segmented this into 256 networks of /64 where each subnet has 18,446,744,073,709,551,616 addresses.

--- The key to getting good answers is to ask good questions.

On 12/7/20 4:45 AM, Patrick O'Callaghan wrote:

On Sun, 2020-12-06 at 22:06 -0700, home user wrote:

...

Is Don Quixote available as an English-language movie?

Not really. There are several Spanish versions (see IMDB) but the book is so expansive that it's hard to imagine a successful movie adaptation.

The Man of La Mancha.

On 12/7/20 4:50 PM, Patrick O'Callaghan wrote:

Man of La Mancha is a musical based on Don Quixote. I wouldn't regard it as the same thing, but it's a matter of opinion.

Neither do I, but at least you can get an idea of what the story's about by watching it.

After a weekly patching and several boots, what Ed suggested continues to work.  This includes e-mail, browser, dnf upgrade, dnf install, zoom, and video downloads (via Firefox add-on and via command line).  As best as I can see, nothing got broke and everything works as it should.  So I'm tagging this REALLY solved.  I thanks Samuel for bringing up the additional caution, Ed for the solution, and others for the further discussion.

I did find a youtube video of a musical performance of Man of La Mancha.  I tried to watch it.  Poor focus.  I did not watch all the way through.  But now I know where the song "To Dream the Impossible Dream" comes from.