Unexpected https connections coming out of my laptop
November 2017
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    
About
This site is an effort to share some of the base knowledge I have gathered through all this years working with Linux, FreeBSD, OpenBSD, Python or Zope, among others. So, take a look around and I hope you will find the contents useful.
Recent Entries
Recent Comments
Recent Trackbacks
Categories
OpenBSD (9 items)
BSD (0 items)
FreeBSD (19 items)
Linux (3 items)
Security (3 items)
Python (22 items)
Zope (13 items)
Daily (144 items)
e-shell (9 items)
Hacks (14 items)
PostgreSQL (3 items)
OSX (8 items)
Nintendo DS (0 items)
enlightenment (0 items)
Apache (3 items)
Nintendo Wii (1 items)
Django (24 items)
Music (12 items)
Plone (7 items)
Varnish (0 items)
Lugo (2 items)
Sendmail (0 items)
europython (7 items)
Cherokee (1 items)
self (1 items)
Nature (1 items)
Hiking (0 items)
uwsgi (0 items)
nginx (0 items)
cycling (9 items)
Networking (1 items)
DNS (0 items)
Archives

Syndicate this site (XML)

RSS/RDF 0.91

08 agosto
2015

Unexpected https connections coming out of my laptop

or why you have to be careful with default setups

Today, while debugging some local network connections with netstat in my laptop (running OSX 10.8.5) I noticed a very weird thing:

tcp4       0      0  192.168.43.201.56227   17.143.164.144.443     ESTABLISHED

"A connection to https somewhere, while all I'm doing is debug some local stuff in a shell and edit some files in emacs?" - I thought. Something smell badly.

I did a whois on the ip address:

whois 17.143.164.144

And I saw there to whom the address belong:

OrgName:        Apple Inc.
OrgId:          APPLEC-1-Z
Address:        20400 Stevens Creek Blvd., City Center Bldg 3
City:           Cupertino
StateProv:      CA
PostalCode:     95014
Country:        US
RegDate:        2009-12-14
Updated:        2011-03-08
Ref:            http://whois.arin.net/rest/org/APPLEC-1-Z

"Ok, this has to be one of those services running by default on the background by OSx then, let's find out which one" - I told myself.

At first thought I decided to use netstat itself to find out which process was sending such a long-term request (the connection did stay open for quite some time). Too bad OSX's netstat does not have a -p flag to show the processes (or at least not in this OSx version). OSx's fuser cannot be used for that purpose neither, and it does not have FreeBSD's sockstat or fstat tools.

It has lsof though, which is good enough for the job:

sudo lsof -n -i 4 -a|grep 56227

There it was:

apsd        317           root   10u  IPv4 0xf041bb92eb553d51      0t0  TCP 192.168.43.201:56227->17.143.164.144:https (ESTABLISHED)

"apsd? wtf is apsd?" - Question popped in my mind, and all of a sudden the name become familiar - "I'd say we have met before... let's look at the man page":

APSD(8)                   BSD System Manager's Manual                  APSD(8)

NAME
     apsd -- Apple Push Notification service daemon

SYNOPSIS
     apsd

DESCRIPTION
     apsd ApplePushService daemon for Apple Push Notification service.  This
     is part of the ApplePushService framework.

     There are no configuration options to apsd.  Users should not run apsd
     manually.

Mac OS X                         Feb 10, 2009                         Mac OS X

HA!, I loved this part: "Users should not run apsd manually", which we could translate into "Hey you!, do not mess with this stuff that could be sending some data back to us here!".

The man page did not return too much info, but a bit of searching through the Internet for Apple Push Notification service daemon returned a couple of helpful links:

Good enough for me (specially the second one). A quick read through the documentation told me that this probably is used by Apple to send me upgrade notifications and things like that, which I don't care about, specially when I'm working from a remote location, connected through my mobile phone and a limited bandwidth line.

So, I did shut it down:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist

(turn it back on is easy, just replace unload with load there).

Finally, I added this alias to my ~./profile, so I could list processes listening on tcp4 ports quickly:

alias tcp4_procs='sudo lsof -n -i 4 -a'

(sudo is needed in order to see process my user does not own).

Posted by wu at 10:23 | Comments (0) | Trackbacks (0)
<< Juniper NetworkConnect for OSx | Main | Got a new bike (II) >>
Comments
There are no comments.
Trackbacks
Please send trackback to:http://blog.e-shell.org/304/tbping
There are no trackbacks.
Post a comment