I detect poneytelecom connections using iftop, but how to block them?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i checked my httpd log folder and found no connections by that IP:
grep -Ril "212.129.28.14|14.28.129.212" /var/zpanel/logs/domains/admin/
Im seeing these connections even i added 212.129.28.14,14.28.129.212 IPs into /etc/hosts.deny which confusing me asking for help what is wrong and how to block it properly. Was looking up if i can block it in iptables according to hostname partial match, but no luck.
Next time please use 'netstat -antpe;' or 'lsof ni;' instead or ensure your tool of choice doesn't use name or service resolving.
Quote:
Originally Posted by postcd
i checked my httpd log folder and found no connections by that IP:
grep -Ril "212.129.28.14|14.28.129.212" /var/zpanel/logs/domains/admin/
Next time use 'dig -t A 212-129-28-14.rev.poneytelecom.eu;' to resolve the host name back to the the IP address if unsure. Run 'grep '212.129.28.14' -r /var/zpanel/logs /var/log;'. May not work if temporary connection. Check web servers status pages (if enabled) to see what resources are requested (if any).
Quote:
Originally Posted by postcd
Im seeing these connections even i added 212.129.28.14,14.28.129.212 IPs into /etc/hosts.deny which confusing me
Please refrain from using tcp_wrappers: use firewall (and or fail2ban), application level firewall (mod_security) and application-specific blocking methods instead.
Quote:
Originally Posted by postcd
asking for help what is wrong and how to block it properly. Was looking up if i can block it in iptables according to hostname partial match, but no luck.
Don't use host names, period. Use '/sbin/iptables -t raw -I PREROUTING 1 -s 212.129.0.0/18 -j DROP; /sbin/iptables -t raw -I OUTPUT 1 -d 212.129.0.0/18 -j DROP;' to block this whole (AS 12876) subnet.
I'd have added that domain to hosts file. Not host.deny.
Still the order AFAIK should be: firewall, application level firewall, any other application-specific blocking methods. The firewall is meant to deal with this kind of ACL w/o requiring any traffic to be passed to / judged by an application. This offers the best performance, configurability and safety.
Explain in detail (meaning any tool output) how you arrived at that conclusion?
afaiu, 212-129-28-14.rev.poneytelecom.eu is a (sub)domain name, not an ip address.
i know it is customary for e.g. isp providers to name subdomains according to ip addresses provided (i remember this was the case with my mobile broadband connection, but not exactly sure whether i'm phrasing this right), so it is likely that the IP mentioned is indeed connected to that domain, but as far as i can see anybody could name a subdomain of their domain "212-129-28-14", even if it is not at the IP address 212.129.28.14.
i hope i have made myself clear and haven't misused any terminology.
does this help you?
Yes. In return all I have to say you could have spared yourself the effort by just resolving the host name...
oh, there's no effort in communicating with fellow 'nuxers!
anyhow, it was my intention from the beginning to point out that the name of the subdomain has nothing to do with the IP per se, and one could use that deliberately to obfuscate one's intentions.
but just out of curiosity, how would you have spared yourself the effort?
anyhow, it was my intention from the beginning to point out that the name of the subdomain has nothing to do with the IP per se, and one could use that deliberately to obfuscate one's intentions.
I do get your point about obfuscation. It's certainly something to keep in mind (just like I always warn people not to blindly trust a processes argv[0] and always use "-n" if tools offer it) but it's not one of the pitfalls analysing Production environment network traffic as I've experienced over the years (or maybe I'm just lucky I rarely have to deal with advanced threats).
Quote:
Originally Posted by ondoho
but just out of curiosity, how would you have spared yourself the effort?
For me it's not a question of "how I would": it's one of my common practices. The reason for using "-n" should be clear: it's fast as no protocol or domain name resolution is needed plus it avoids the operator having to interpret output. Next to that I require uninterpreted output for further processing. Anyway, since about any relevant tool provides such switches (ps, lsof, iptables, netstat, tcpdump etc, etc) it simply boils down to training the right muscle reflexes or using aliases...
Not sure how comes that poneytelecom connections are in the iftop, but not in yours adviced netstat or lsof.
What did you look for and how (revisit your shell history if these connections aren't there currently)?
Quote:
Originally Posted by postcd
Code:
Use '/sbin/iptables -t raw -I PREROUTING 1 -s 212.129.0.0/18 -j DROP; /sbin/iptables -t raw -I OUTPUT 1 -d 212.129.0.0/18 -j DROP;' to block this whole (AS 12876) subnet.
I tried to execute this, but "iptables -L" shows no added rules.
First of all please use 'iptables-save|grep '212.129.0.0/18';' to check or 'iptables -nL|grep '212.129.0.0/18;', or more precise in this case: 'iptables -t raw -nvxL|grep '212.129.0.0/18;' and be aware of any warnings on stderr when executing iptables add / insert commands.
What did you look for and how (revisit your shell history if these connections aren't there currently)?
i did iftop and then "l" key + entering "pone" to filter out only poneytelecom connections. Thats how i came with these connections while netstat do not shows this IP connections. While iftop still shows this connection: 212-129-28-14.rev.poneytelecom.eu
Quote:
Originally Posted by unSpawn
First of all please use ... 'iptables -t raw -nvxL|grep '212.129.0.0/18;' and be aware of any warnings on stderr when executing iptables add / insert commands.
Result of iptables -t raw -nvxL:
Quote:
# iptables -t raw -nvxL
Chain PREROUTING (policy ACCEPT 87 packets, 23127 bytes)
pkts bytes target prot opt in out source destination
112 5664 DROP all -- * * 212.129.0.0/18 0.0.0.0/0
1128699 57187592 DROP all -- * * 212.129.0.0/18 0.0.0.0/0
24 1216 DROP all -- * * 212.129.0.0/18 0.0.0.0/0
99 5024 DROP all -- * * 212.129.0.0/18 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 104 packets, 70761 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 212.129.0.0/18
0 0 DROP all -- * * 0.0.0.0/0 212.129.0.0/18
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.