LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-14-2016, 02:11 PM   #1
postcd
Member
 
Registered: Oct 2013
Posts: 527

Rep: Reputation: Disabled
I detect poneytelecom connections using iftop, but how to block them?


I see the http connections using iftop linux tool:

Quote:
vps:http => 212-129-28-14.rev.poneytelecom.eu:49265 0b 0b 0b
<= 208b 104b 104b
vps:http => 212-129-28-14.rev.poneytelecom.eu:38081 0b 0b 0b
<= 0b 104b 104b
vps:http => 212-129-28-14.rev.poneytelecom.eu:33793 0b 0b 0b
<= 208b 104b 104b
vps:http => 212-129-28-14.rev.poneytelecom.eu:25905 0b 0b 0b
<= 208b 104b 104b
vps:http => 212-129-28-14.rev.poneytelecom.eu:61101 0b 0b 0b
<= 208b 104b 104b
vps:http => 212-129-28-14.rev.poneytelecom.eu:56018 0b 0b 0b
<= 208b 104b 104b
vps:http => 212-129-28-14.rev.poneytelecom.eu:34651 .......
i checked my httpd log folder and found no connections by that IP:
grep -Ril "212.129.28.14|14.28.129.212" /var/zpanel/logs/domains/admin/

Im seeing these connections even i added 212.129.28.14,14.28.129.212 IPs into /etc/hosts.deny which confusing me asking for help what is wrong and how to block it properly. Was looking up if i can block it in iptables according to hostname partial match, but no luck.
 
Old 02-14-2016, 05:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by postcd View Post
I see the http connections using iftop linux tool
Next time please use 'netstat -antpe;' or 'lsof ni;' instead or ensure your tool of choice doesn't use name or service resolving.


Quote:
Originally Posted by postcd View Post
i checked my httpd log folder and found no connections by that IP:
grep -Ril "212.129.28.14|14.28.129.212" /var/zpanel/logs/domains/admin/
Next time use 'dig -t A 212-129-28-14.rev.poneytelecom.eu;' to resolve the host name back to the the IP address if unsure. Run 'grep '212.129.28.14' -r /var/zpanel/logs /var/log;'. May not work if temporary connection. Check web servers status pages (if enabled) to see what resources are requested (if any).


Quote:
Originally Posted by postcd View Post
Im seeing these connections even i added 212.129.28.14,14.28.129.212 IPs into /etc/hosts.deny which confusing me
Please refrain from using tcp_wrappers: use firewall (and or fail2ban), application level firewall (mod_security) and application-specific blocking methods instead.


Quote:
Originally Posted by postcd View Post
asking for help what is wrong and how to block it properly. Was looking up if i can block it in iptables according to hostname partial match, but no luck.
Don't use host names, period. Use '/sbin/iptables -t raw -I PREROUTING 1 -s 212.129.0.0/18 -j DROP; /sbin/iptables -t raw -I OUTPUT 1 -d 212.129.0.0/18 -j DROP;' to block this whole (AS 12876) subnet.
 
1 members found this post helpful.
Old 02-15-2016, 07:29 PM   #3
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,965

Rep: Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622Reputation: 3622
I'd have added that domain to hosts file. Not host.deny.
 
Old 02-16-2016, 01:35 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by jefro View Post
I'd have added that domain to hosts file. Not host.deny.
Still the order AFAIK should be: firewall, application level firewall, any other application-specific blocking methods. The firewall is meant to deal with this kind of ACL w/o requiring any traffic to be passed to / judged by an application. This offers the best performance, configurability and safety.
 
Old 02-16-2016, 01:49 PM   #5
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
i don't think 212.129.28.14 necessarily is the ip of "212-129-28-14.rev.poneytelecom.eu".
 
1 members found this post helpful.
Old 02-16-2016, 04:42 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by ondoho View Post
i don't think 212.129.28.14 necessarily is the ip of "212-129-28-14.rev.poneytelecom.eu".
Explain in detail (meaning any tool output) how you arrived at that conclusion?
 
Old 02-17-2016, 12:12 PM   #7
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Quote:
Originally Posted by unSpawn View Post
Explain in detail (meaning any tool output) how you arrived at that conclusion?
afaiu, 212-129-28-14.rev.poneytelecom.eu is a (sub)domain name, not an ip address.
i know it is customary for e.g. isp providers to name subdomains according to ip addresses provided (i remember this was the case with my mobile broadband connection, but not exactly sure whether i'm phrasing this right), so it is likely that the IP mentioned is indeed connected to that domain, but as far as i can see anybody could name a subdomain of their domain "212-129-28-14", even if it is not at the IP address 212.129.28.14.
i hope i have made myself clear and haven't misused any terminology.
does this help you?
 
1 members found this post helpful.
Old 02-17-2016, 01:15 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by ondoho View Post
does this help you?
Yes. In return all I have to say you could have spared yourself the effort by just resolving the host name...
 
Old 02-17-2016, 01:22 PM   #9
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Quote:
Originally Posted by unSpawn View Post
Yes. In return all I have to say you could have spared yourself the effort by just resolving the host name...
oh, there's no effort in communicating with fellow 'nuxers!
anyhow, it was my intention from the beginning to point out that the name of the subdomain has nothing to do with the IP per se, and one could use that deliberately to obfuscate one's intentions.
but just out of curiosity, how would you have spared yourself the effort?
 
Old 02-18-2016, 11:53 AM   #10
postcd
Member
 
Registered: Oct 2013
Posts: 527

Original Poster
Rep: Reputation: Disabled
unSpawn: thx, i will try to remember more using lsof and netstat and to first block in firewall.

Not sure how comes that poneytelecom connections are in the iftop, but not in yours adviced netstat or lsof.

Quote:
Originally Posted by unSpawn View Post
Use '/sbin/iptables -t raw -I PREROUTING 1 -s 212.129.0.0/18 -j DROP; /sbin/iptables -t raw -I OUTPUT 1 -d 212.129.0.0/18 -j DROP;' to block this whole (AS 12876) subnet.
I tried to execute this, but "iptables -L" shows no added rules.
 
Old 02-21-2016, 05:18 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by ondoho View Post
anyhow, it was my intention from the beginning to point out that the name of the subdomain has nothing to do with the IP per se, and one could use that deliberately to obfuscate one's intentions.
I do get your point about obfuscation. It's certainly something to keep in mind (just like I always warn people not to blindly trust a processes argv[0] and always use "-n" if tools offer it) but it's not one of the pitfalls analysing Production environment network traffic as I've experienced over the years (or maybe I'm just lucky I rarely have to deal with advanced threats).


Quote:
Originally Posted by ondoho View Post
but just out of curiosity, how would you have spared yourself the effort?
For me it's not a question of "how I would": it's one of my common practices. The reason for using "-n" should be clear: it's fast as no protocol or domain name resolution is needed plus it avoids the operator having to interpret output. Next to that I require uninterpreted output for further processing. Anyway, since about any relevant tool provides such switches (ps, lsof, iptables, netstat, tcpdump etc, etc) it simply boils down to training the right muscle reflexes or using aliases...
 
Old 02-21-2016, 05:23 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by postcd View Post
Not sure how comes that poneytelecom connections are in the iftop, but not in yours adviced netstat or lsof.
What did you look for and how (revisit your shell history if these connections aren't there currently)?


Quote:
Originally Posted by postcd View Post
Code:
Use '/sbin/iptables -t raw -I PREROUTING 1 -s 212.129.0.0/18 -j DROP; /sbin/iptables -t raw -I OUTPUT 1 -d 212.129.0.0/18 -j DROP;' to block this whole (AS 12876) subnet.
I tried to execute this, but "iptables -L" shows no added rules.
First of all please use 'iptables-save|grep '212.129.0.0/18';' to check or 'iptables -nL|grep '212.129.0.0/18;', or more precise in this case: 'iptables -t raw -nvxL|grep '212.129.0.0/18;' and be aware of any warnings on stderr when executing iptables add / insert commands.
 
Old 02-23-2016, 09:07 AM   #13
postcd
Member
 
Registered: Oct 2013
Posts: 527

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
What did you look for and how (revisit your shell history if these connections aren't there currently)?
i did iftop and then "l" key + entering "pone" to filter out only poneytelecom connections. Thats how i came with these connections while netstat do not shows this IP connections. While iftop still shows this connection: 212-129-28-14.rev.poneytelecom.eu

Quote:
Originally Posted by unSpawn View Post
First of all please use ... 'iptables -t raw -nvxL|grep '212.129.0.0/18;' and be aware of any warnings on stderr when executing iptables add / insert commands.
Result of iptables -t raw -nvxL:

Quote:
# iptables -t raw -nvxL
Chain PREROUTING (policy ACCEPT 87 packets, 23127 bytes)
pkts bytes target prot opt in out source destination
112 5664 DROP all -- * * 212.129.0.0/18 0.0.0.0/0
1128699 57187592 DROP all -- * * 212.129.0.0/18 0.0.0.0/0
24 1216 DROP all -- * * 212.129.0.0/18 0.0.0.0/0
99 5024 DROP all -- * * 212.129.0.0/18 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 104 packets, 70761 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 212.129.0.0/18
0 0 DROP all -- * * 0.0.0.0/0 212.129.0.0/18

Last edited by postcd; 02-23-2016 at 09:09 AM.
 
Old 03-02-2016, 04:12 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Sorry for late reply. Next time maybe just restart the service (or use cutter or equivalent) to sever current connection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Block ftp connections from some server inifinity Linux - Certification 1 04-02-2015 07:37 AM
How to block too many UDP connections to certain ports farenheitcx Linux - Security 1 08-17-2012 07:47 AM
how to detect a printer connections in C++ marryan Linux - Software 1 05-28-2009 04:27 AM
Detect process connections (game) nwarrenfl Linux - Networking 11 02-10-2009 10:32 AM
HOWTO Detect TCP Connections Wishzy Linux - Networking 1 01-17-2006 05:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration