You are not logged in.

  1. Index
  2. » Help & Support (Other)
  3. » Suspicious connection attempts in firewall log

Pages: 1

#1 2017-01-20 15:04:15

EnochRoot
Member
From: Just outside London, UK
Registered: 2015-12-08
Posts: 43

Suspicious connection attempts in firewall log

Now that I have cleared up the noise from the multicast traffic originating from my router, am seeing connection attempts being blocked from a selection of IPs. All the attempts are coming from port 443 and going to high destination ports on my side. The majority of the connections are coming from IPs owned by Google or Google Cloud, but some are coming from Virgin Media who are my broadband provider.

Looking at port 443 it seems to be used for a number of protocols, some of them for nefarious purposes.

I'm assuming these are people running scanners / malware on Google cloud machines. One thing that puzzles me, these are all hitting my main desktop, I have another box which is connected to the internet too, but it is not seeing any of these connection attempts, so are these caused by me surfing the net on my main desktop ?

Thanks for any thoughts on this - just want to make sure I don't have an issue.

Enoch

Offline

#2 2017-01-20 20:07:10

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 9,093
Website

Re: Suspicious connection attempts in firewall log

I am a long way from expert in this subject but port 443 is used for https connections so it is probably that.

https://www.grc.com/port_443.htm

You should post your logs, somebody who actually knows what they're talking about (ie, not me) may be able to glean more from them.

Para todos todo, para nosotros nada

Offline

#3 2017-01-20 20:14:40

EnochRoot
Member
From: Just outside London, UK
Registered: 2015-12-08
Posts: 43

Re: Suspicious connection attempts in firewall log

Thanks for that, its coming from port 443, but hitting high numbered ports on my side, so its not as if they're trying to connect to a secure web server on my end, and if I'd opened a connection to them, the connection would already be established, ufw (/iptables) is blocking the incoming connection. I'll extract some logs, sanitise and post them shortly. Its not happening all the time, but seems to come through in batches.

Thanks !

Offline

#4 2017-01-20 20:24:03

nobody
The Great
Registered: 2015-08-10
Posts: 3,655

Re: Suspicious connection attempts in firewall log

OP: Any IP packet header contains a quadruplet of values: (source-ip, source-port, dst-ip, dst-port). TCP connections to your computer, may they carry HTTPS traffic or whatever, will show with a remote-ip and remote-port for the remote site and a local-ip and local-port for your computer, where local-port is a port from the range

$ sysctl net.ipv4.ip_local_port_range # also used by ipv6!
net.ipv4.ip_local_port_range = 32768    60999

Offline

#5 2017-01-20 20:33:38

EnochRoot
Member
From: Just outside London, UK
Registered: 2015-12-08
Posts: 43

Re: Suspicious connection attempts in firewall log

Reading up some more, have seen suggestions that these could be outbound https connections which have been dropped on the client side, but the server has still sent packets for as its not yet noticed that the client has gone away. Knowing a bit about TCP I can see this could happen, but seems to be happening a lot, of course if I had a log of active https outbound connections from my box at the time of or just before the firewall blocks I could work out if that was the case.

Sanitised log below. As I said most of the IPs are showing as being owned by Google, but some are from my IPS Virgin Media and have seen some others cropping up

Jan 20 09:16:03 hostname kernel: [160877.205600] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.10 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=33310 PROTO=TCP SPT=443 DPT=43964 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 09:16:03 hostname kernel: [160877.212899] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.10 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=33312 PROTO=TCP SPT=443 DPT=43964 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:10:38 hostname kernel: [164152.428988] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=69.187.26.87 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=31 ID=61795 DF PROTO=TCP SPT=443 DPT=38924 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 20 10:13:31 hostname kernel: [164325.159183] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.198.170 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=537 PROTO=TCP SPT=443 DPT=43556 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:13:34 hostname kernel: [164328.155597] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.213.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=54088 PROTO=TCP SPT=443 DPT=41842 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:13:34 hostname kernel: [164328.155986] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.213.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=54089 PROTO=TCP SPT=443 DPT=41842 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:13:34 hostname kernel: [164328.161297] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.213.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=54093 PROTO=TCP SPT=443 DPT=41842 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:13:35 hostname kernel: [164329.153613] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=2202 PROTO=TCP SPT=443 DPT=50552 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:13:35 hostname kernel: [164329.153977] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=2203 PROTO=TCP SPT=443 DPT=50552 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:13:35 hostname kernel: [164329.161259] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=2209 PROTO=TCP SPT=443 DPT=50552 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:21:12 hostname kernel: [164786.287820] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=17171 PROTO=TCP SPT=443 DPT=50694 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:21:12 hostname kernel: [164786.289002] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=17173 PROTO=TCP SPT=443 DPT=50694 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:44:27 hostname kernel: [166180.860479] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=62.252.115.168 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=37686 PROTO=TCP SPT=443 DPT=41444 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:44:27 hostname kernel: [166180.860859] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=205.234.175.175 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=20510 PROTO=TCP SPT=443 DPT=39812 WINDOW=525 RES=0x00 ACK URGP=0
Jan 20 10:44:27 hostname kernel: [166180.861713] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=205.234.175.175 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=TCP SPT=443 DPT=39812 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 10:44:27 hostname kernel: [166180.865411] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.46 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=24378 PROTO=TCP SPT=443 DPT=34050 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:04:52 hostname kernel: [167406.507787] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=24463 PROTO=TCP SPT=443 DPT=45692 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:05:48 hostname kernel: [167462.376647] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.201.42 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=42298 PROTO=TCP SPT=443 DPT=39130 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:05:48 hostname kernel: [167462.376986] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.201.42 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=42299 PROTO=TCP SPT=443 DPT=39130 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:05:48 hostname kernel: [167462.383996] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.201.42 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=42303 PROTO=TCP SPT=443 DPT=39130 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:06:30 hostname kernel: [167504.132735] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=62.252.115.178 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=54695 PROTO=TCP SPT=443 DPT=50752 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:06:30 hostname kernel: [167504.133845] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.213.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=11333 PROTO=TCP SPT=443 DPT=45848 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:06:30 hostname kernel: [167504.134810] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.213.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=11334 PROTO=TCP SPT=443 DPT=45848 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:06:30 hostname kernel: [167504.135285] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.213.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=11336 PROTO=TCP SPT=443 DPT=45848 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:07:09 hostname kernel: [167543.138327] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.208.166 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=24921 PROTO=TCP SPT=443 DPT=39866 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:35:59 hostname kernel: [169272.754143] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.66 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=36569 PROTO=TCP SPT=443 DPT=44910 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:35:59 hostname kernel: [169272.760381] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.66 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=36571 PROTO=TCP SPT=443 DPT=44910 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:00 hostname kernel: [169273.747721] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.34 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=50518 PROTO=TCP SPT=443 DPT=41166 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:00 hostname kernel: [169273.748071] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.34 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=50519 PROTO=TCP SPT=443 DPT=41166 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:00 hostname kernel: [169273.749097] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.34 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=50521 PROTO=TCP SPT=443 DPT=41166 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:24 hostname kernel: [169297.756237] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.106 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=14913 PROTO=TCP SPT=443 DPT=55268 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:24 hostname kernel: [169297.761353] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.106 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=14919 PROTO=TCP SPT=443 DPT=55268 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:26 hostname kernel: [169299.751146] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.66 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=19435 PROTO=TCP SPT=443 DPT=47268 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:26 hostname kernel: [169299.752092] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.66 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=19436 PROTO=TCP SPT=443 DPT=47268 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 11:36:26 hostname kernel: [169299.758549] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.66 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=19440 PROTO=TCP SPT=443 DPT=47268 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 13:09:47 hostname kernel: [174900.919904] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=27264 PROTO=TCP SPT=443 DPT=40434 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 13:10:15 hostname kernel: [174928.909825] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.30.54 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=40629 PROTO=TCP SPT=443 DPT=33222 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 13:10:15 hostname kernel: [174928.915666] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.30.54 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=40632 PROTO=TCP SPT=443 DPT=33222 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:05 hostname kernel: [192017.239895] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.33 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=16928 PROTO=TCP SPT=443 DPT=36826 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:05 hostname kernel: [192017.245375] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.33 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=16932 PROTO=TCP SPT=443 DPT=36826 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:06 hostname kernel: [192018.232691] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.74 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=43579 PROTO=TCP SPT=443 DPT=49908 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:06 hostname kernel: [192018.233047] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.74 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=43580 PROTO=TCP SPT=443 DPT=49908 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:06 hostname kernel: [192018.235655] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.74 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=43582 PROTO=TCP SPT=443 DPT=49908 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:07 hostname kernel: [192019.241831] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.42 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=50373 PROTO=TCP SPT=443 DPT=33286 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:07 hostname kernel: [192019.242898] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.42 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=50374 PROTO=TCP SPT=443 DPT=33286 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:07 hostname kernel: [192019.250208] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.42 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=50380 PROTO=TCP SPT=443 DPT=33286 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:08 hostname kernel: [192020.240251] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.198.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=43583 PROTO=TCP SPT=443 DPT=35148 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:55:08 hostname kernel: [192020.240592] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.198.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=43584 PROTO=TCP SPT=443 DPT=35148 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:56:18 hostname kernel: [192090.540383] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.14 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=45399 PROTO=TCP SPT=443 DPT=56676 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:56:42 hostname kernel: [192114.009164] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=62.253.72.157 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=54386 PROTO=TCP SPT=443 DPT=57058 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 17:56:45 hostname kernel: [192117.023282] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.210.35 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=36079 PROTO=TCP SPT=443 DPT=37168 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:34 hostname kernel: [192466.359788] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.2 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=45157 PROTO=TCP SPT=443 DPT=42338 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:34 hostname kernel: [192466.362887] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.2 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=45162 PROTO=TCP SPT=443 DPT=42338 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:35 hostname kernel: [192467.358979] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.30.54 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=38137 PROTO=TCP SPT=443 DPT=43764 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:35 hostname kernel: [192467.359341] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.30.54 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=38138 PROTO=TCP SPT=443 DPT=43764 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:35 hostname kernel: [192467.363275] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.30.54 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=38140 PROTO=TCP SPT=443 DPT=43764 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:45 hostname kernel: [192477.065734] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=11998 PROTO=TCP SPT=443 DPT=50752 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:45 hostname kernel: [192477.066094] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=11999 PROTO=TCP SPT=443 DPT=50752 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:02:45 hostname kernel: [192477.071663] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=12005 PROTO=TCP SPT=443 DPT=50752 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:11:21 hostname kernel: [192992.984193] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.30.54 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=51774 PROTO=TCP SPT=443 DPT=44268 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:11:22 hostname kernel: [192993.972285] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=33003 PROTO=TCP SPT=443 DPT=51166 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:11:22 hostname kernel: [192993.972636] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=33004 PROTO=TCP SPT=443 DPT=51166 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:11:22 hostname kernel: [192993.978567] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=33008 PROTO=TCP SPT=443 DPT=51166 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:11:27 hostname kernel: [192998.974698] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=64949 PROTO=TCP SPT=443 DPT=52706 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:11:27 hostname kernel: [192998.975662] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=64950 PROTO=TCP SPT=443 DPT=52706 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:11:27 hostname kernel: [192998.976186] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.78 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=64952 PROTO=TCP SPT=443 DPT=52706 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:14:01 hostname kernel: [193153.257650] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.214.14 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=22416 PROTO=TCP SPT=443 DPT=51754 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:14:13 hostname kernel: [193165.416340] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.14 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=14164 PROTO=TCP SPT=443 DPT=34666 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:14:13 hostname kernel: [193165.421864] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.14 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=14171 PROTO=TCP SPT=443 DPT=34666 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:14:31 hostname kernel: [193183.767878] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.46 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=934 PROTO=TCP SPT=443 DPT=52322 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:14:31 hostname kernel: [193183.769280] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=172.217.23.46 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=936 PROTO=TCP SPT=443 DPT=52322 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:15:26 hostname kernel: [193237.910340] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=62.252.115.178 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=7826 PROTO=TCP SPT=443 DPT=56606 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:15:52 hostname kernel: [193264.405058] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=40970 PROTO=TCP SPT=443 DPT=51870 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:25:05 hostname kernel: [193817.665080] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.213.110 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=53565 PROTO=TCP SPT=443 DPT=52222 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:25:21 hostname kernel: [193833.646071] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.35 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=11351 PROTO=TCP SPT=443 DPT=37770 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:25:21 hostname kernel: [193833.646655] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.35 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=11353 PROTO=TCP SPT=443 DPT=37770 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:25:37 hostname kernel: [193849.661486] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.99 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=55020 PROTO=TCP SPT=443 DPT=45294 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:25:37 hostname kernel: [193849.662004] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.212.99 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=55022 PROTO=TCP SPT=443 DPT=45294 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:26:27 hostname kernel: [193899.661583] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.16.53 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=7422 PROTO=TCP SPT=443 DPT=41724 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:26:28 hostname kernel: [193900.659790] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.201.35 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=39024 PROTO=TCP SPT=443 DPT=45918 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:26:28 hostname kernel: [193900.660111] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.201.35 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=39025 PROTO=TCP SPT=443 DPT=45918 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:26:28 hostname kernel: [193900.661613] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.201.35 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=39027 PROTO=TCP SPT=443 DPT=45918 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:26:39 hostname kernel: [193911.649636] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=35465 PROTO=TCP SPT=443 DPT=52332 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:26:39 hostname kernel: [193911.650474] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=35466 PROTO=TCP SPT=443 DPT=52332 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:26:39 hostname kernel: [193911.655423] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=130.211.26.229 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=35472 PROTO=TCP SPT=443 DPT=52332 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:45:57 hostname kernel: [195068.802755] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.46 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=54861 PROTO=TCP SPT=443 DPT=44336 WINDOW=0 RES=0x00 RST URGP=0
Jan 20 18:45:57 hostname kernel: [195068.803245] [UFW BLOCK] IN=enp5s0 OUT= MAC=XXX SRC=216.58.204.46 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=54863 PROTO=TCP SPT=443 DPT=44336 WINDOW=0 RES=0x00 RST URGP=0

---Mod edit - changed [ quote ] to [ code ] tags---

Last edited by damo (2017-01-20 20:51:02)

Offline

#6 2017-01-20 21:02:26

EnochRoot
Member
From: Just outside London, UK
Registered: 2015-12-08
Posts: 43

Re: Suspicious connection attempts in firewall log

nobody looks like our posts crossed in the ether. So are you agreeing with the theory that these are https connections which have been dropped on my side by the browser ?

Cheers

Offline

#7 2017-01-21 03:05:51

cloverskull
Member
Registered: 2015-10-01
Posts: 348

Re: Suspicious connection attempts in firewall log

Are you by chance using /etc/hosts as an ad blocker? It routes everything to 0.0.0.0 which can be interpreted as localhost. This may be proof of effective ad blocking.

Offline

#8 2017-01-21 07:46:59

EnochRoot
Member
From: Just outside London, UK
Registered: 2015-12-08
Posts: 43

Re: Suspicious connection attempts in firewall log

@nobody - sure I understand how the firewall works and that the packets are being dropped in the kernel.

I was implying that there had previously been a connection from my web browser to a web server running on the IPs in question. I'd read somewhere that issues like this could be caused by a browser having opened a connection to a secure server on port 443, and then later the browser closes the connection, but there are still packets either on route or being sent by the web server until the web server picks up that the connection has been closed. Those packets sent after the connection is dropped, would look like they were coming from port 443 on the server side and would be targetting the high numbered port on my side which the original outgoing connection from the browser was assigned to. I've seen myself that when a TCP/IP socket connection is closed, it can take a while for the other side to be notified of the connection drop/closure.

I'd only wondered about this, as all the log entries I've seen have been coming from port 443 on the other side, and I'm not seeing this issue at all on my second box where I never run a browser. However it seems to be happening more than I would expect. Of course it could be malicious traffic which is made to look like innocuous secure web traffic....

Hope I've explained it better this time - its early here and not yet had the first coffee of the day !

Enoch

Offline

#9 2017-01-21 07:48:24

EnochRoot
Member
From: Just outside London, UK
Registered: 2015-12-08
Posts: 43

Re: Suspicious connection attempts in firewall log

@cloverskull not using /etc/hosts as an adblocker, using a plugin in the browser. Though funnily have recently seen a script which uses that approach plus whitelists and blacklists from various sources...

Offline

Pages: 1

  1. Index
  2. » Help & Support (Other)
  3. » Suspicious connection attempts in firewall log

Board footer

Powered by FluxBB