Hi Tim,

> This was about 12 minutes ago

That shows a local TCP port 56946 talking to remote port 80 on
185.151.30.148.  I can also talk to that remote port.

    $ curl -sSvg http://185.151.30.148; echo
    *   Trying 185.151.30.148:80...
    * TCP_NODELAY set
    * Connected to 185.151.30.148 (185.151.30.148) port 80 (#0)
    > GET / HTTP/1.1
    > Host: 185.151.30.148
    > User-Agent: curl/7.65.0
    > Accept: */*
    > 
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 200 
    < cache-control: no-cache
    < content-length: 9
    < content-type: text/plain
    < x-via: LHR2
    < 
    * Connection #0 to host 185.151.30.148 left intact
    It works!
    $

It does not mean the remote end initiated the TCP connection and being
port 80, the standard HTTP port, this is unlikely.  The local port 56946
is a typical port number for an outgoing connection where the port
number does not matter.  I don't know how well ufw, which is designed to
protect the machine from the outside world, can help in stopping TCP
connections which originate from within the machine.

Investigate what processes are talking to the remote IP address at the
time of the packets.

    sudo -i ss -p dst 66.39.101.110

If it's a browser then check if there are service workers running or
tabs updating a page.

-- 
Cheers, Ralph.

-- 
  Next meeting: Online, Jitsi, Tuesday, 2024-01-02 20:00
  Check to whom you are replying
  Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
  New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Reply via email to