APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Looking for secret connections


Some material is very old and may be incorrect today

© December 2015 Anthony Lawrence

I woke up too early the other morning and could not get back to sleep. I gave up, got up, and wandered blearily to my office. I turned on my computer and left it while I made myself some breakfast. Finishing that, I opened up Chrome and was about to go to email when I paused. Nothing was happening on my computer, but lights were flashing now and then on the router, so I logged into it to see what traffic was passing through it.

Nothing unusual to see here

As it turned out, not much of anything. Because I use Chrome there were a surprising amount of outgoing connections to Google and a few other things like Dropbox and others that I recognized, but nothing suspicious. If there is any malware on my computer, it certainly wasn't active at that time.

Of course most of the time there is much more going on. The Active Connections list might fill several pages. It could be hard to pick out possibly "bad" connections from all the noise. There are some things to look for, though.

You may have noticed that I added "Destination Port" to the visible columns. Looking for unusual ports is one easy check. Most legitimate connections are to the so-called "well-known" ports and most of those today are likely to be http or https. Mix in a few email connections and that's probably 99% of your outbound connections.

Looking for common ports that shouldn't be being used by certain machines is another - for example, a printer/copier probably shouldn't be making an HTTPS connection. Inbound connections are also something to look at carefully - you know (or should know) which machines do accept inbound traffic; anything else is definitely suspect.

You should have traffic rules that block unexpected traffic - for example, nothing but your mailserver(s) should be allowed to make outbound connections on SMTP ports.

You may also want to turn on the Rx and Tx columns. Seeing high byte counts there might be another indication of suspicious activity. Of course this might just be a legitmate download like a software update. A high number of Tx bytes might be more suspicious.

Looking at these connections from time to time can help you learn what is normal and expected. Another place worth looking is the WAN traffic chart. Unusual peaks of traffic at unexpected times may alert you to unauthorized behavior.

Traffic peaks

In the case shown here, that was just me upgrading my Mac OS software, but seeing that burst otherwise would have caused me to launch a serious investigation.


If you found something useful today, please consider a small donation.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Looking for secret connections


Inexpensive and informative Apple related e-books:

Take Control of Automating Your Mac

Take Control of the Mac Command Line with Terminal, Second Edition

Take Control of IOS 11

Digital Sharing Crash Course

Photos for Mac: A Take Control Crash Course





More Articles by © Anthony Lawrence





Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





Better to fight for something than live for nothing. (George S. Patton)




Linux posts

Troubleshooting posts


This post tagged:

Control

Kerio

Kerio Info

Kerio Pricing

Kerio RSS Feed

Malware

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode