Solved Figure out which process is initiating outbound connection?

Solved issue
CaffeineAddict

CaffeineAddict

Well-Known Member
Joined
Jan 21, 2024
Messages
2,506
Reaction score
2,050
Credits
20,296
I have few dropped outbound packets in my firewall log that look like this:

Bash: 
DROP default new_out_4: IN= OUT=<NIC> SRC=<local IP> DST=<remote IP> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43196 DF PROTO=TCP SPT=42618 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 UID=1 GID=1

I know it's root user that's initiating connection due to UID=1 GID=1, but I block root user from making any connections outbound.
How would you go about figuring out which process is responsible?
 


Several ways to do this. But all depend on parts of the info presented here.

Code: 
lsof -i -n -P | grep <local IP>:42618

 netstat -tulnp | grep 42618

ss -tulnp | grep 42618

tcpdump -i <NIC> port 42618
Replace ,NIC> with interface name, emp3s0. or eno1 or whatever.

Once you have the PID, you can use ps to get more details about the process.

Code: 
ps -p <PID> -o pid,ppid,cmd,%mem,%cpu
 
This is awesome, I'm now running 2 terminals side by side.

In one of them I'm following firewall logs with lnav and wait for connection to happen.
In another terminal I'm running sudo lsof -i4 -n -P -r1 so that it's able to capture PID.

This is just awesome, I believed it's impossible.

edit:

Btw. anyone knows how could I limit sudo lsof -i4 -n -P -r1 to root user?
I tried with sudo lsof -i4 -n -P -r1 -u root however this negates the -i4 and shows all files not just network connectiosn producing irrelevant info.

I know I could do sudo lsof -i4 -n -P -r1 | grep root but curious if lsof has an option to avoid grep
 
Last edited:
@dos2unix
You rock! I managed to pinpoint down what's generating the traffic:

Bash: 
sudo lsof -i4 -n -P -r1
debsecan 75876 daemon 3u IPv4 374983 0t0 TCP <local IP>:46338->151.101.2.132:443 (SYN_SENT)
Click to expand...

Bash: 
ps au -p 75876
daemon 75876 0.0 0.1 43912 28852 ? S 03:50 0:00 /usr/bin/python3 /usr/bin/debsecan --cron
Click to expand...

However now I spotted a mistake, UID=1 is not root but daemon user which agrees with lslogins output

This issue is solved, but I'd still like to know how to limit sudo lsof -i4 -n -P -r1 to a user while preserving networking output?
If -u username is added to the command this will list all files not just sockets.
 
You must log in or register to reply here.

Similar threads

CaffeineAddict
Solved Why is Firefox listening on local UDP port?
Replies
13
Views
212
Aristarchus
A
B
Rsyslog not writing messages from Cisco switch
Replies
0
Views
2K
Blinky
B
T
Firewalld hard troubble on HTTP/HTTPS
Replies
4
Views
3K
Trackoow
T
K
How to find out which process opens tcp connection ?
Replies
9
Views
7K
osprey
osprey
H
LAN swamped by TCP messages to DPT 5552
Replies
0
Views
3K
hstoellinger
H


Staff online

Members online

Total: 381 (members: 6, guests: 375)

Latest posts

Top