I detect poneytelecom connections using iftop, but how to block them?
 

I see the http connections using iftop linux tool:

i checked my httpd log folder and found no connections by that IP:
grep -Ril "212.129.28.14|14.28.129.212" /var/zpanel/logs/domains/admin/

Im seeing these connections even i added 212.129.28.14,14.28.129.212 IPs into /etc/hosts.deny which confusing me asking for help what is wrong and how to block it properly. Was looking up if i can block it in iptables according to hostname partial match, but no luck.

Next time please use 'netstat -antpe;' or 'lsof ni;' instead or ensure your tool of choice doesn't use name or service resolving.


Next time use 'dig -t A 212-129-28-14.rev.poneytelecom.eu;' to resolve the host name back to the the IP address if unsure. Run 'grep '212.129.28.14' -r /var/zpanel/logs /var/log;'. May not work if temporary connection. Check web servers status pages (if enabled) to see what resources are requested (if any).


Please refrain from using tcp_wrappers: use firewall (and or fail2ban), application level firewall (mod_security) and application-specific blocking methods instead.


Don't use host names, period. Use '/sbin/iptables -t raw -I PREROUTING 1 -s 212.129.0.0/18 -j DROP; /sbin/iptables -t raw -I OUTPUT 1 -d 212.129.0.0/18 -j DROP;' to block this whole (AS 12876) subnet.

I'd have added that domain to hosts file. Not host.deny.

Still the order AFAIK should be: firewall, application level firewall, any other application-specific blocking methods. The firewall is meant to deal with this kind of ACL w/o requiring any traffic to be passed to / judged by an application. This offers the best performance, configurability and safety.

i don't think 212.129.28.14 necessarily is the ip of "212-129-28-14.rev.poneytelecom.eu".

Explain in detail (meaning any tool output) how you arrived at that conclusion?

afaiu, 212-129-28-14.rev.poneytelecom.eu is a (sub)domain name, not an ip address.
i know it is customary for e.g. isp providers to name subdomains according to ip addresses provided (i remember this was the case with my mobile broadband connection, but not exactly sure whether i'm phrasing this right), so it is likely that the IP mentioned is indeed connected to that domain, but as far as i can see anybody could name a subdomain of their domain "212-129-28-14", even if it is not at the IP address 212.129.28.14.
i hope i have made myself clear and haven't misused any terminology.
does this help you?

Yes. In return all I have to say you could have spared yourself the effort by just resolving the host name...

oh, there's no effort in communicating with fellow 'nuxers!
anyhow, it was my intention from the beginning to point out that the name of the subdomain has nothing to do with the IP per se, and one could use that deliberately to obfuscate one's intentions.
but just out of curiosity, how would you have spared yourself the effort?

unSpawn: thx, i will try to remember more using lsof and netstat and to first block in firewall.

Not sure how comes that poneytelecom connections are in the iftop, but not in yours adviced netstat or lsof.

I tried to execute this, but "iptables -L" shows no added rules.

I do get your point about obfuscation. It's certainly something to keep in mind (just like I always warn people not to blindly trust a processes argv[0] and always use "-n" if tools offer it) but it's not one of the pitfalls analysing Production environment network traffic as I've experienced over the years (or maybe I'm just lucky I rarely have to deal with advanced threats).


For me it's not a question of "how I would": it's one of my common practices. The reason for using "-n" should be clear: it's fast as no protocol or domain name resolution is needed plus it avoids the operator having to interpret output. Next to that I require uninterpreted output for further processing. Anyway, since about any relevant tool provides such switches (ps, lsof, iptables, netstat, tcpdump etc, etc) it simply boils down to training the right muscle reflexes or using aliases...

What did you look for and how (revisit your shell history if these connections aren't there currently)?


First of all please use 'iptables-save|grep '212.129.0.0/18';' to check or 'iptables -nL|grep '212.129.0.0/18;', or more precise in this case: 'iptables -t raw -nvxL|grep '212.129.0.0/18;' and be aware of any warnings on stderr when executing iptables add / insert commands.

i did iftop and then "l" key + entering "pone" to filter out only poneytelecom connections. Thats how i came with these connections while netstat do not shows this IP connections. While iftop still shows this connection: 212-129-28-14.rev.poneytelecom.eu

Result of iptables -t raw -nvxL:

Sorry for late reply. Next time maybe just restart the service (or use cutter or equivalent) to sever current connection.