0

i have that problem, that if i take a view over

iftop -i eth0 -o 10s -p -P

command i get a ton of list information

192.168.8.119:ssh   => 192.168.8.98:62424                            5.12Kb  5.60Kb  8.94Kb
                    <=                                                320b    320b    453b
224.0.0.251:mdns    => 192.168.8.98:mdns                                0b      0b      0b
                    <=                                                  0b    285b    641b
192.168.8.119:smtp  => 87.246.7.246:53274                             160b     32b      8b
                    <=                                                240b     48b     12b
192.168.8.119:smtp  => 5.34.207.59:1832                                 0b     32b      8b
                    <=                                                  0b     48b     12b
192.168.8.119:smtp  => 5.34.207.107:34708                               0b     32b      8b
                    <=                                                  0b     48b     12b
192.168.8.119:smtp  => 5.34.207.107:58290                               0b     32b      8b
                    <=                                                  0b     48b     12b
192.168.8.119:smtp  => 5.34.207.59:50034                                0b      0b     16b
                    <=                                                  0b      0b     24b
192.168.8.119:45822 => 192.168.8.118:microsoft-ds                       0b      0b     22b
                    <=                                                  0b      0b     12b
192.168.8.119:45824 => 192.168.8.118:microsoft-ds                       0b      0b     22b
                    <=                                                  0b      0b     12b
192.168.8.119:45826 => 192.168.8.118:microsoft-ds                       0b      0b     22b
                    <=                                                  0b      0b     12b
192.168.8.119:45828 => 192.168.8.118:microsoft-ds                       0b      0b     22b
                    <=                                                  0b      0b     12b
192.168.8.119:45830 => 192.168.8.118:microsoft-ds                       0b      0b     22b
                    <=                                                  0b      0b     12b
...
..
.

as example i blocked a couple of ip addresses but it ruin my day if i see allmost that full screen

ufw deny from 5.34.207.107 to any
ufw deny out from any to 5.34.207.107

how can i find and stop finaly that process which makes that calls for 5.34.207.107,...? Its an ubuntu 20.x system.

trash2
  • 15
  • 3
  • 1
    Does this answer your question? https://serverfault.com/questions/316666/on-linux-how-can-i-tell-which-process-is-sending-ethernet-packets – Gerald Schneider Apr 20 '22 at 11:46
  • @GeraldSchneider sry. nope. i only see `? root unknown TCP 0.000 0.000 KB/sec `. Also with -b -t parameters also not more then that – trash2 Apr 20 '22 at 12:30

1 Answers1

0

I think you are missing the context. Those ipaddresses (5.34.207.XX) are the ones trying to establish a connection. It seems like you have an mailserver running on your machine and these hosts are trying to connect to that (probably to send spam)

You can see that they are trying to establish the connection by looking at the port. Everything over 1024 (but actally more like > 20000) is a port opened to connect to another host (outbound)

Lookup on Ephemeral port.

Malik
  • 116
  • 3