firewire
(Martin Koller)
25 2024 18:35
1
Hi there,
I see 30k plus per day dropped connection requests to port 80 and 443 from AWS cloud IP’s in Bahrain.
As you may guess, I have enabled location block for that country.
Amazon helped a bit and their customer explained that these connections would belong to normal activities regarding Epic Games.
The problem is: I’ve no Epic Games installation anywhere in my network.
However, i tried to monitor the outgoing connections on ipfire and found e.g. this when using iftop -i red0:
my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:51606
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:44360
my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:38102
my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:15927
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:4614
my.host.name:www-http => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:14415
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:57658
my.host.name:https => ec2-15-185-242-57.me-south-1.compute.amazonaws.com:54856
Is there any tool available on ipfire to constantly track and filter those connections, so that I find out which process/app/ip is causing that?
Thank you for hints.
Maybe try tcpdump or tshark to look at the traffic packets and tell it to only record those that contain ec2-15-185-242-57
I would expect that the output of either of those programs should include the IP of the source of those packets in your network.
I don’t use either of those programs very often so I can’t help on syntax of the commands.
2 Likes
firewire
(Martin Koller)
25 2024 20:49
3
Thank you, that helped. Please allow a short off topic here. I tried to track those incoming connections on my web server on orange as shown below:
netstat -atulpn | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1404/nginx: master
tcp 0 0 internal.ip:80 15.185.243.219:17536 SYN_RECV -
or
netstat -atulpn | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1404/nginx: master
tcp 0 0 internal.ip:443 15.185.243.219:16978 SYN_RECV -
show a lot of SYN_RECV but no established connections to the AWS Bahrain subnets. It seems that just a lot of connections (60 + per port) are opened and then closed again.
I mean, that isn’t normal, isn’t it?
firewire
(Martin Koller)
26 2024 15:35
4
Though calling lsof -i in a loop i was not able to identify a process causing those “burts” of connection trials. Stopping services on the involved machine didn’t help either.
So I created some location based inbound rules for RED, adjusted Location Block on the corresponding ipFire page and the traffic disappeared immediately (for now).
2 Likes