Unexpected https connections coming out of my laptop
Today, while debugging some local network connections with netstat in my laptop (running OSX 10.8.5) I noticed a very weird thing:
tcp4 0 0 192.168.43.201.56227 220.127.116.11.443 ESTABLISHED
"A connection to https somewhere, while all I'm doing is debug some local stuff in a shell and edit some files in emacs?" - I thought. Something smell badly.
I did a whois on the ip address:
And I saw there to whom the address belong:
OrgName: Apple Inc. OrgId: APPLEC-1-Z Address: 20400 Stevens Creek Blvd., City Center Bldg 3 City: Cupertino StateProv: CA PostalCode: 95014 Country: US RegDate: 2009-12-14 Updated: 2011-03-08 Ref: http://whois.arin.net/rest/org/APPLEC-1-Z
"Ok, this has to be one of those services running by default on the background by OSx then, let's find out which one" - I told myself.
At first thought I decided to use netstat itself to find out which process was sending such a long-term request (the connection did stay open for quite some time). Too bad OSX's netstat does not have a -p flag to show the processes (or at least not in this OSx version). OSx's fuser cannot be used for that purpose neither, and it does not have FreeBSD's sockstat or fstat tools.
It has lsof though, which is good enough for the job:
sudo lsof -n -i 4 -a|grep 56227
There it was:
apsd 317 root 10u IPv4 0xf041bb92eb553d51 0t0 TCP 192.168.43.201:56227->18.104.22.168:https (ESTABLISHED)
"apsd? wtf is apsd?" - Question popped in my mind, and all of a sudden the name become familiar - "I'd say we have met before... let's look at the man page":
APSD(8) BSD System Manager's Manual APSD(8) NAME apsd -- Apple Push Notification service daemon SYNOPSIS apsd DESCRIPTION apsd ApplePushService daemon for Apple Push Notification service. This is part of the ApplePushService framework. There are no configuration options to apsd. Users should not run apsd manually. Mac OS X Feb 10, 2009 Mac OS X
HA!, I loved this part: "Users should not run apsd manually", which we could translate into "Hey you!, do not mess with this stuff that could be sending some data back to us here!".
The man page did not return too much info, but a bit of searching through the Internet for Apple Push Notification service daemon returned a couple of helpful links:
- Some information about that notification service itself: https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html
- An entry in stackoverflow about disabling it: http://apple.stackexchange.com/questions/92214/how-to-disable-apple-push-notification-service-apsd-on-os-x-10-8
Good enough for me (specially the second one). A quick read through the documentation told me that this probably is used by Apple to send me upgrade notifications and things like that, which I don't care about, specially when I'm working from a remote location, connected through my mobile phone and a limited bandwidth line.
So, I did shut it down:
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist
(turn it back on is easy, just replace unload with load there).
Finally, I added this alias to my ~./profile, so I could list processes listening on tcp4 ports quickly:
alias tcp4_procs='sudo lsof -n -i 4 -a'
(sudo is needed in order to see process my user does not own).