Help with understanding Threat Analysis
I have a ubuntu PC and pfblocker is blocking outbound UDP 56777 from this PC to D522A3FE.static.ziggozakelijk.nl amongst other similar address.
The log is absolutely full of these blocks.
Is this something on my PC? How can i find out what it is, if so?
Is this something on my PC?
It's an Ubuntu based PC, so why not have a look ?
Try this one :
Take the IP's 184.108.40.206 and 220.127.116.11, put them in the OUTPUT chain as a block. Now pfBlocker stops blocking, because these IP's won't get out of the Ubuntu device any more.
You could also launch the classic commands like :
cd / grep -R 'ziggozakelijk.nl' *
@gertjan pfblocker is doing what it is supposed to. i.e. blocking known bad ips.
As the source is showing from my desktop, i want to find what is causing it on the source. I don't want to stop pfblocker doing what it is doing well.
although i am using a ubuntu desktop, i don't have strong linux skills, thus need some help from the community.
I didn't not mention that you should change something with pfBlockerNG.
I'm petty sure that, when you use the local 'Ubuntu' firewall to block outgoing traffic, you will be able to get the name of the process that emitted packets that are blocked.
I'll have a look myself, as I'm using several Debian based servers.
Btw : the 'grep' advise still stands.
Login into the Ubuntu command line interface.
Execute the two commands.
If the word (string) 'ziggozakelijk.nl' exists somewhere, you will know it.
And the path to the file will surely indicate what program or package it belongs.
I know that Zigo is a dutch ISP, so I would consider 'ziggozakelijk.nl' as a trusted domain name.
Throwing 'static.ziggozakelijk.nl' into Google shows a lot of mess, but nothing dangerous.
@gertjan ok, i added a block rule to ufw, but the log only showing changes made to the config.
The grep command never completes, just gets stuck after
grep: dev/snd/pcmC1D3p: Invalid argument