Hi Tim, IP hostname in out total last seen > 98.159.234.100 chrysippo.dreamsinheels.com 377,452,876 8,790,117,140 > 9,167,570,016 2d 18h 38m 35s > 98.159.234.101 reformidans.dreamsinheels.com 231,512,992 4,458,161,590 > 4,689,674,582 3d 21h 18m 8s > 98.159.234.54 posset.dreamsinheels.com 196,503,575 3,748,136,401 > 3,944,639,976 2d 2h 41m 11s > 98.159.234.72 pecunias.dreamsinheels.com 207,944,151 3,507,655,611 > 3,715,599,762 2d 3h 6m 12s > 98.159.234.157 aliquod.dreamsinheels.com 132,080,873 2,002,741,007 > 2,134,821,880 11h 53m 38s > 98.159.234.20 iustitiam.dreamsinheels.com 87,937,813 1,906,705,751 > 1,994,643,564 21h 14m 53s ... > While I don't seem to have a list of live connections it is still making > connections, I checked and they are showing in Wireshark when I monitor > traffic
A TCP connection is being established after the full normal handshake? As opposed to an incoming packet attempting to start a connection but not progressing? If so, a program must be actively listening on the same TCP port to accept the connection. What's the output of sudo -i ss -tlpe > Here is a sample of one of the rules I have come up with: > > -A ufw-user-logging-output -p tcp > -d 185.151.30.148 --dport 42474 > -s 185.151.30.148 --sport 42474 > -m limit --limit 3/min --limit-burst 10 > -j LOG --log-prefix "[UFW BLOCK] " That looks like a rule to log something about the packet. Have you enabled logging? https://wiki.archlinux.org/title/Uncomplicated_Firewall#Disable_UFW_logging says how to disable it so I think you do the opposite. That's what https://wiki.ubuntu.com/UncomplicatedFirewall#Basic_Usage suggests. > I don't know how to chnage the single port to any port. Why bother trying to match the port? Just ban anything from IP addresses. I think you just want to drop all packets from sources 98.159.234.0/24 and 185.151.130.148. There are a couple of similar examples in https://wiki.archlinux.org/title/Uncomplicated_Firewall#Black_listing_IP_addresses -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk