# # Looking for secret connections
APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Looking for secret connections

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.

Some material is very old and may be incorrect today

© May 2019 Anthony Lawrence

I woke up too early the other morning and could not get back to sleep. I gave up, got up, and wandered blearily to my office. I turned on my computer and left it while I made myself some breakfast. Finishing that, I opened up Chrome and was about to go to email when I paused. Nothing was happening on my computer, but lights were flashing now and then on the router, so I logged into it to see what traffic was passing through it.

Nothing unusual to see here

As it turned out, not much of anything. Because I use Chrome there were a surprising amount of outgoing connections to Google and a few other things like Dropbox and others that I recognized, but nothing suspicious. If there is any malware on my computer, it certainly wasn't active at that time.

Of course most of the time there is much more going on. The Active Connections list might fill several pages. It could be hard to pick out possibly "bad" connections from all the noise. There are some things to look for, though.

You may have noticed that I added "Destination Port" to the visible columns. Looking for unusual ports is one easy check. Most legitimate connections are to the so-called "well-known" ports and most of those today are likely to be http or https. Mix in a few email connections and that's probably 99% of your outbound connections.

Looking for common ports that shouldn't be being used by certain machines is another - for example, a printer/copier probably shouldn't be making an HTTPS connection. Inbound connections are also something to look at carefully - you know (or should know) which machines do accept inbound traffic; anything else is definitely suspect.

You should have traffic rules that block unexpected traffic - for example, nothing but your mailserver(s) should be allowed to make outbound connections on SMTP ports.

You may also want to turn on the Rx and Tx columns. Seeing high byte counts there might be another indication of suspicious activity. Of course this might just be a legitmate download like a software update. A high number of Tx bytes might be more suspicious.

Looking at these connections from time to time can help you learn what is normal and expected. Another place worth looking is the WAN traffic chart. Unusual peaks of traffic at unexpected times may alert you to unauthorized behavior.

Traffic peaks

In the case shown here, that was just me upgrading my Mac OS software, but seeing that burst otherwise would have caused me to launch a serious investigation.

If you found something useful today, please consider a small donation.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Looking for secret connections

Inexpensive and informative Apple related e-books:

Take Control of Automating Your Mac

Take Control of IOS 11

iOS 10: A Take Control Crash Course

Take Control of High Sierra

Take Control of Numbers

More Articles by © Anthony Lawrence

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Great minds discuss ideas; average minds discuss events; small minds discuss people. (Eleanor Roosevelt)

Linux posts

Troubleshooting posts

This post tagged:



Kerio Info

Kerio Pricing

Kerio RSS Feed



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode