Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Amazing Akamai Issue have a really smart technology to jump firewall restriction. I have make a white list for may firewall it mean nothing get out. This solution stop Akamai for some days, but now it is connected again jumping the firewall white list. Akamai install a new process server on my computer and send info to Akamai server using different ip to my computer assigned ip to jump firewall. Akamai Issue have a proved advanced technologies to jump firewall.
I will try upload image proves
See what AS Number the IP address is in and black list the, in this case 2 C class, networks? Note black listing whole ASN's may prevent other sites or applications using .deploy.akamaitechnologies.com from working properly so maybe white listing allowed addresses may be more efficient and less restrictive. Blocking AS Numbers here doesn't automagically mean blocking in the firewall (and if you do don't put it in the filter table INPUT chain as matveev.se suggests but use an OUTPUT chain NEW state filter as it's your machine that requests the connection) but it probably could be done way more efficient using a persistent-caching local name server like Pdnsd, again because it's your machine that has to resolve the host name before making any requests. As this isn't a Linux Security question I'll move this thread to the Linux Networking forum.
Akamai servers are also used by faceboock, gnome-pannel and a lot of other common used app. Clouds services tend to be confused with intrusions often, for example my gnome-pannel try to use akamai clouds to get weather info. Also I have verify, a normal behavior in clouds is asap as it receive a request, try to find open ports in host, reverse dns.
It works at this way:
gnome-panel weather software or other akamai based softwares try connect to clouds jumping firewall if possible asap as connection to Internet detected on system. Then cloud akamai services detect host requests, call dns-rollback and begin try open connection from akamai to host searching open ports in ranges not commonly used 452620 … 452670 for example. This is a normal pattern in cloud services, I have see the same in other cloud services. But this patter is the same as a Trojan intrusion.
In my case I don't care what they see or monitor, but slow down the Internet speed with unrequested connections.
---------- Post added 08-10-12 at 06:46 PM ----------
For example one of there gnome-panel weather software:
Instead of posting that kind of explanation of things (Akamai first and foremost is known for CDN and not "cloud akamai services" and I've never heard of "dns-rollback") and ASCII representations of traffic (nobody who analyzes pcaps reads it in this way) please host a packet capture we can download that supports what you say. If you need to obfuscate your machines public IP address see tcprewrite.
sorry for my explanations, it is not dns-rollback is some type of web usually called dns-reverse or some similar I do not remember the exact name. I think clouds can use this to select most near and fast speed available to customer PC.
Before you talk about firewall circumvention, comparing Content Delivery Network traffic with "Trojan intrusions" or misinterpreting what CDN does as "unrequested connections", maybe you should first find out how a Content Delivery Network actually works?..
Blocking (groups of) addresses from being resolved, persistently caching DNS queries, limiting the maximum amount of new outbound connections, limiting the maximum amount of connections per class network, lowering network related sysctls and caching page contents may help.
Quote:
Originally Posted by expcodersrrg
using a firewall to block
I already answered that.
Quote:
Originally Posted by expcodersrrg
undesired software apps.
If you think applications are "undesired" then simply don't run them.
But for example i will like to use the gnome-panel time but it not have config to disallow get weather info.
The solution provided remove entirely akamai but as a CDN it could be useful, that is the reason a firewall per application could be better.
For example I will like use youtube from firefox, but not allow other softwares to connect (like unknown process displayed in images attached).
But for example i will like to use the gnome-panel time but it not have config to disallow get weather info.
Ah, finally a specific question. Running something like 'gconftool-2 --makefile-uninstall-rule /etc/gconf/schemas/gweather.schemas' should remove any GNOME panel weather applet information (else see your gconftool-2 mnual pages). If that's too much, or if it causes errors, unset or change individual /schemas/apps/gweather/prefs/ settings like auto_update, enable_radar_map, location*, coordinates, use_custom_radar_url and radar.
Quote:
Originally Posted by expcodersrrg
a firewall per application could be better. (..) For example I will like use youtube from firefox, but not allow other softwares to connect
Program Guardwas an application level firewall for GNU/Linux as were FireFlier and TuxGuardian. They've all gone. The only remaining one AFAIK is LeopardFlower. I won't comment on them (apart from taking obsolescence as an indication of lack of actual use) and I've never needed to use them. Maybe they work for you.
All the Ubuntu gnome-panel users have the clock be default and use weather services. Let suppose 2 million peoples uses Ubuntu with gnome-panel in the entire word right now. Every time a single user is connected gnome-panel weather send request to CDN and paid a small fraction of cost for CDN services. Let suppose that one user in an entire year using gnome-panel weather services request to CDN cost only 1$.
2 million users X 1$ per year = 2 million dollars of costs per year.
…..????
gnome-panel clock waste 2 million dollars per year at minimum paying to Akamai CDN.
We should really thanks the service free for us.
Ummmm.... It sound logic, I will do the same if one day have 2 millions dollars.
CDN and other Clouds based services are often used in all the places I guess at least 90 % of Internet user access every day one or two of the main providers.
Solution:
Store user IP, user-dns, time and session information of facebook, weather services, gmail, yahoo, hotmail, … and any other services that uses Clouds. This will provide a digital identity for one person.
Handle huge volume of data will be important, and some optimizations will be useful.
Use case, how monitor a single user (concrete example):
Suppose Ronald login on facebook, Akamai CDN will store:
Ronald digital ID, stored on Cloud:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
IP: 152.10.27.175
user-dns: var15.ppp9.ispprovider.es
time: 11/27/2012 15:03:25
facebook session id: jhfs3fd345dfsdf9898948rf767udst73shf74wr8
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now is important know the same user continue online with the same session at least.
So we should made a trick and with small frequency verify session id and update digital ID.
Trick solutions:
1) Leave a thread on browser requesting service to akamai or cloud posting session ID.
2) In client software app(chat messengers) is more easy, just send periodically session data.
Now we can know about Roland user:
Start connection day 11/27/2012 15:03:25 with IP 152.10.27.175 and remains online 2 hours. One day latter get connected again 11/28/2012 11:22:20 with IP 12.107.27.17.
But we have more about Roland: Facebook name, email address, other facebook and emails and accounts used, ….
Suppose Roland is a bad person and we have rights to track it, as soon we detect it is online we can now request to Roland ISP capture all info.
You can post "solutions" all you want (though I'd rather see you use your LQ web log for posts like these) but I'm still unsure what problem you're trying to (or being asked to?) solve.
In my case the only problem is connection speed down, because a lot of softwares app, try connect hidden, and if possible jump firewall, .. to access CDN Clouds like akamai. The solution in this case is use a firewall per application to avoid an unknown app get connected.
In my case I don't care what others see, I can post my desktop Image you will see now weather services working with genome-panel.
But for example you are from Spain, are you fine knowing other country or private organization can be right now monitor all your citizen activity for unknown objectives?
I do not said this is some bad, It could be used for good objectives like propose make.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
