Solved Figure out which process is initiating outbound connection?

Solved issue

CaffeineAddict

Well-Known Member
Joined
Jan 21, 2024
Messages
2,506
Reaction score
2,050
Credits
20,296
I have few dropped outbound packets in my firewall log that look like this:

Bash:
DROP default new_out_4: IN= OUT=<NIC> SRC=<local IP> DST=<remote IP> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43196 DF PROTO=TCP SPT=42618 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 UID=1 GID=1

I know it's root user that's initiating connection due to UID=1 GID=1, but I block root user from making any connections outbound.
How would you go about figuring out which process is responsible?
 


Several ways to do this. But all depend on parts of the info presented here.

Code:
lsof -i -n -P | grep <local IP>:42618

 netstat -tulnp | grep 42618

ss -tulnp | grep 42618

tcpdump -i <NIC> port 42618
Replace ,NIC> with interface name, emp3s0. or eno1 or whatever.

Once you have the PID, you can use ps to get more details about the process.

Code:
ps -p <PID> -o pid,ppid,cmd,%mem,%cpu
 
This is awesome, I'm now running 2 terminals side by side.

In one of them I'm following firewall logs with lnav and wait for connection to happen.
In another terminal I'm running sudo lsof -i4 -n -P -r1 so that it's able to capture PID.

This is just awesome, I believed it's impossible.

edit:

Btw. anyone knows how could I limit sudo lsof -i4 -n -P -r1 to root user?
I tried with sudo lsof -i4 -n -P -r1 -u root however this negates the -i4 and shows all files not just network connectiosn producing irrelevant info.

I know I could do sudo lsof -i4 -n -P -r1 | grep root but curious if lsof has an option to avoid grep
 
Last edited:
@dos2unix
You rock! I managed to pinpoint down what's generating the traffic:

Bash:
sudo lsof -i4 -n -P -r1
debsecan 75876 daemon 3u IPv4 374983 0t0 TCP <local IP>:46338->151.101.2.132:443 (SYN_SENT)

Bash:
ps au -p 75876
daemon 75876 0.0 0.1 43912 28852 ? S 03:50 0:00 /usr/bin/python3 /usr/bin/debsecan --cron

However now I spotted a mistake, UID=1 is not root but daemon user which agrees with lslogins output

This issue is solved, but I'd still like to know how to limit sudo lsof -i4 -n -P -r1 to a user while preserving networking output?
If -u username is added to the command this will list all files not just sockets.
 


Staff online

Members online


Top