Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with understanding Threat Analysis

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by

      I have a ubuntu PC and pfblocker is blocking outbound UDP 56777 from this PC to D522A3FE.static.ziggozakelijk.nl amongst other similar address.

      The log is absolutely full of these blocks.
      CINS_army_v4
      212.178.135.62

      CINS_army_v4
      213.34.163.254

      Is this something on my PC? How can i find out what it is, if so?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @4o4rh
        last edited by

        @gwaitsi said in Help with understanding Threat Analysis:

        Is this something on my PC?

        It's an Ubuntu based PC, so why not have a look ?

        Try this one :
        Take the IP's 213.34.163.254 and 212.178.135.62, put them in the OUTPUT chain as a block. Now pfBlocker stops blocking, because these IP's won't get out of the Ubuntu device any more.

        You could also launch the classic commands like :

        cd /
        grep -R 'ziggozakelijk.nl' *
        

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        4 1 Reply Last reply Reply Quote 0
        • 4
          4o4rh @Gertjan
          last edited by

          @gertjan pfblocker is doing what it is supposed to. i.e. blocking known bad ips.

          As the source is showing from my desktop, i want to find what is causing it on the source. I don't want to stop pfblocker doing what it is doing well.

          although i am using a ubuntu desktop, i don't have strong linux skills, thus need some help from the community.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @4o4rh
            last edited by

            @gwaitsi

            I didn't not mention that you should change something with pfBlockerNG.

            I'm petty sure that, when you use the local 'Ubuntu' firewall to block outgoing traffic, you will be able to get the name of the process that emitted packets that are blocked.
            I'll have a look myself, as I'm using several Debian based servers.

            Btw : the 'grep' advise still stands.

            Login into the Ubuntu command line interface.
            Execute the two commands.
            If the word (string) 'ziggozakelijk.nl' exists somewhere, you will know it.
            And the path to the file will surely indicate what program or package it belongs.

            I know that Zigo is a dutch ISP, so I would consider 'ziggozakelijk.nl' as a trusted domain name.

            Throwing 'static.ziggozakelijk.nl' into Google shows a lot of mess, but nothing dangerous.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            4 1 Reply Last reply Reply Quote 0
            • 4
              4o4rh @Gertjan
              last edited by

              @gertjan ok, i added a block rule to ufw, but the log only showing changes made to the config.

              The grep command never completes, just gets stuck after
              grep: dev/snd/pcmC1D3p: Invalid argument

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @4o4rh
                last edited by

                @gwaitsi said in Help with understanding Threat Analysis:

                grep: dev/snd/pcmC1D3p: Invalid argument

                Yeah, sorry.
                It read folders isn't shouldn't.

                cd to /usr, that the most important one.

                cd /usr
                

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.