我有一个正在运行的 Debian 系统乌夫沃。我对所有传出连接设置“默认拒绝”,并根据需要打开特定通信(端口和/或 IP 地址)。
我使用dmesg
日志来查看是否有任何内容试图建立出站连接。我通常可以研究 IP 地址和/或端口并弄清楚发生了什么。但是,有没有办法查看哪个应用是否正在尝试发送出站数据包?
答案1
可能最好检查ufw
日志。
sudo less /var/log/ufw*
如果没有阻塞日志,请检查日志级别。请记住,更高级别的日志记录可以快速填满您的磁盘。
文件:/etc/ufw/ufw.conf
# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
LOGLEVEL=low
man ufw
显示一些有关日志记录的信息
logging on|off|LEVEL
toggle logging. Logged packets use the LOG_KERN syslog facility. Systems configured for rsyslog support may
also log to /var/log/ufw.log. Specifying a LEVEL turns logging on for the specified LEVEL. The default log
level is 'low'. See LOGGING for details.
........
LOGGING
ufw supports multiple logging levels. ufw defaults to a loglevel of 'low' when a loglevel is not specified. Users
may specify a loglevel with:
ufw logging LEVEL
LEVEL may be 'off', 'low', 'medium', 'high' and 'full'. Log levels are defined as:
off disables ufw managed logging
low logs all blocked packets not matching the defined policy (with rate limiting), as well as packets matching
logged rules
medium log level low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new
connections. All logging is done with rate limiting.
high log level medium (without rate limiting), plus all packets with rate limiting
full log level high without rate limiting
Loglevels above medium generate a lot of logging output, and may quickly fill up your disk. Loglevel medium may
generate a lot of logging output on a busy system.
Specifying 'on' simply enables logging at log level 'low' if logging is currently not enabled.
日志示例:
May 22 00:06:44 HOSTNAME kernel: [12387117.150851] [UFW -->BLOCK<--] IN=<NIC> OUT= MAC=XXXXXXXXXXXXXXXXXXXXXX SRC=0.0.0.0 DST=XXXXXXXXX LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
现在我看到您想知道哪个应用程序正在发送它们......也许应用程序日志(失败的尝试)等......
您还可以打开端口,并使用nethogs
查看谁正在使用带宽并从那里开始。之后关闭端口。