• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with understanding Threat Analysis

Scheduled Pinned Locked Moved pfBlockerNG
6 Posts 2 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 4
    4o4rh
    last edited by May 13, 2021, 5:47 AM

    I have a ubuntu PC and pfblocker is blocking outbound UDP 56777 from this PC to D522A3FE.static.ziggozakelijk.nl amongst other similar address.

    The log is absolutely full of these blocks.
    CINS_army_v4
    212.178.135.62

    CINS_army_v4
    213.34.163.254

    Is this something on my PC? How can i find out what it is, if so?

    G 1 Reply Last reply May 13, 2021, 6:41 AM Reply Quote 0
    • G
      Gertjan @4o4rh
      last edited by May 13, 2021, 6:41 AM

      @gwaitsi said in Help with understanding Threat Analysis:

      Is this something on my PC?

      It's an Ubuntu based PC, so why not have a look ?

      Try this one :
      Take the IP's 213.34.163.254 and 212.178.135.62, put them in the OUTPUT chain as a block. Now pfBlocker stops blocking, because these IP's won't get out of the Ubuntu device any more.

      You could also launch the classic commands like :

      cd /
grep -R 'ziggozakelijk.nl' *

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      4 1 Reply Last reply May 13, 2021, 7:36 AM Reply Quote 0
      • 4
        4o4rh @Gertjan
        last edited by May 13, 2021, 7:36 AM

        @gertjan pfblocker is doing what it is supposed to. i.e. blocking known bad ips.

        As the source is showing from my desktop, i want to find what is causing it on the source. I don't want to stop pfblocker doing what it is doing well.

        although i am using a ubuntu desktop, i don't have strong linux skills, thus need some help from the community.

        G 1 Reply Last reply May 13, 2021, 7:47 AM Reply Quote 0
        • G
          Gertjan @4o4rh
          last edited by May 13, 2021, 7:47 AM

          @gwaitsi

          I didn't not mention that you should change something with pfBlockerNG.

          I'm petty sure that, when you use the local 'Ubuntu' firewall to block outgoing traffic, you will be able to get the name of the process that emitted packets that are blocked.
          I'll have a look myself, as I'm using several Debian based servers.

          Btw : the 'grep' advise still stands.

          Login into the Ubuntu command line interface.
          Execute the two commands.
          If the word (string) 'ziggozakelijk.nl' exists somewhere, you will know it.
          And the path to the file will surely indicate what program or package it belongs.

          I know that Zigo is a dutch ISP, so I would consider 'ziggozakelijk.nl' as a trusted domain name.

          Throwing 'static.ziggozakelijk.nl' into Google shows a lot of mess, but nothing dangerous.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          4 1 Reply Last reply May 13, 2021, 7:25 PM Reply Quote 0
          • 4
            4o4rh @Gertjan
            last edited by May 13, 2021, 7:25 PM

            @gertjan ok, i added a block rule to ufw, but the log only showing changes made to the config.

            The grep command never completes, just gets stuck after
            grep: dev/snd/pcmC1D3p: Invalid argument

            G 1 Reply Last reply May 13, 2021, 9:51 PM Reply Quote 0
            • G
              Gertjan @4o4rh
              last edited by May 13, 2021, 9:51 PM

              @gwaitsi said in Help with understanding Threat Analysis:

              grep: dev/snd/pcmC1D3p: Invalid argument

              Yeah, sorry.
              It read folders isn't shouldn't.

              cd to /usr, that the most important one.

              cd /usr

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received