Ubuntu 14.04 spying? suspicious traffic at boot

Brand new install of Ubuntu 14.04.

After I disabled all the web searches in Unity bar (all that I could find, amazon, various lenses ect.), I noticed that when Ubuntu boots there is suspicious network traffic to various Canonical locations. It happens on, or about, the time of login.

I watched this traffic with iftop from a router computer.

Two part question:

  1. What is that traffic, and what is it for. Is it phoning home? Handing out information? Latest software check?

  2. Regardless of why its there, how do I stop/disable/un-install/break/prevent, that from happening?

    There is no reason why the computer should be connecting to the Internet behind the scenes unsolicited.


UPDATE: I have made sure all the privacy setting in Ubuntu have on-line searches off. I have used both the privacy settings and tweak tools to do this.

I have tracked down the sites in which the computer reached out and in the process, found out that the Ubuntu does it also when you shut down (not just start up).

The computer reached out to barbadine.canonical.com, mulberry.canonical.com, golem.canonical.com and juniperberry.canonical.com.

This is exactly what I want stop, regardless of the purposes or reason for the traffic. None of the setting toggle options I have come across, seem to stop this. It seems to be hardwired phone-home type stuff perhaps. Short of blocking it with an external firewall, I am at a loss as to how to stop it.


Solution 1:

GOT IT! Or at least, for now, I think I have the answer (thanks to the Q&A and research noted below). I now have a computer that does not reach out to the Internet until I ask it to do so (we will see how periodic auto updates do [which I am ok with])... ahh finally the soothing tranquil sound of an Internet quiet machine at boot/start and shut down (still talks to router, broadcasts ect. Ok with that)

The following is what I did. I will explain it as best I can, and will not get into the merits of why one should, or should not do this. I don’t want to get into it with anyone regarding what traffic they are OK with their computer doing behind the scenes. This post is not intended to be a “freak out” session or imply that Canonical's phones-to-home and NTP checks are evil, sinister or anything of the sort. I asked these questions for a specific reason and I thank all of you who responded with tips, suggestions, and information. I found most of it very helpful and learned from some of it (popcon.ubuntu.com - gone; another bites the dust).

The Solution (so far, at least)

Figuring that some of the traffic was clock related and usage related, I continued researching the subject and came up with the websites referenced below (credit where credit is due). I believe the culprit here is a program called Zeitgeist. It sits around on your computer and monitors the user. It, along with some nasty co-conspirators called GeoClue and geoip, feverishly work to compile info about the user. The bandits collect, statistic-izes, package, and ship off what your doing to Canonical (oh, ...and they keep your time right, in case you're warping through a wormhole). Then (not before), I believe, Canonical makes the data anonymous and stores it for their usage needs (debug, develop, commercial, or otherwise). Either way it's got to go.

So:

sudo apt-get remove zeitgeist zeitgeist-core zeitgeist-datahub python-zeitgeist \
  rhythmbox-plugin-zeitgeist geoclue geoclue-ubuntu-geoip geoip-database

running that ultimately removed:

activity-log-manager activity-log-manager-control-center geoclue
geoclue-ubuntu-geoip geoip-database libunity-webapps0 python-zeitgeist
rhythmbox-plugin-zeitgeist unity-webapps-common unity-webapps-service
xul-ext-unity xul-ext-websites-integration zeitgeist zeitgeist-core
zeitgeist-datahub

A bunch of stuff I could live without. In an anticipation that it would “break” unity, I put on “flashback” and Gnome Shell for a few other options. But as it turns out to my surprise, Unity still works! No errors. Time is looking good, Dash works (minus the bloated web searches/live searches/lense searches as desired) I have not (yet) be forced off unity.

then:

sudo gedit /etc/default/ntpdate

and on the first line;

exit 0

put an end to NTPD requests (juniperberry, golem, ect)

The referenced sites below talk about possibly removing Whoopsie too, but I kept that in for now, since you usually invoke the transmission at the time of the problem. (emphasis … for now.)

So there you go! Now a nice quiet start to my computer in the network neighborhood! Thanks again for all your comments and help guys. I will keep an eye on this, and if the problem returns, perhaps you'll be hearing from me. Good luck if you try this.

REFERENCES: http://ubuntuforums.org/showthread.php?t=2000108
and Strange connections by gvfsd-http --spawner

Solution 2:

You can use wireshark to sniff network traffic and analyze all exchanges made by your ubuntu box. Here is my results made by installing Ubuntu 14.04 in virtualbox (for easier traffic sniffing):

On boot:

  • DHCP Request, Offer, ACK
  • various MDNS query/response to 224.0.0.251
  • DNS query for ntp.ubuntu.com then NTP traffic to ntp.ubuntu.com
  • DNS query for daisy.ubuntu.com
  • DNS query for changelogs.ubuntu.com and some HTTP data, only once

So there is nothing unusual here. You can have all the explanation about this automatic connections alongside ways to prevent them, here.

My only recommendation is not to disable NTP request but either use your router if it has a NTP server or use public NTP server like the one from ntp.org. You need to change the variable NTPSERVERS in /etc/default/ntpdate file.

You can even block MDNS with your firewall if you really want to and know what you are doing.

Solution 3:

Go to system settings and there should be security and privacy option. Tap on it and turn the privacy mode on. should solve your querys for your first answer yes its does send information to canonical but if you turn the privacy on that should do the trick no more sending data They mostly do it for seeing what type of software you use.

Solution 4:

Leaving the Linux kernel aside and concentrating on the Canonical side , answering to your questions in order:

  1. Your clean, fresh install of Ubuntu is indeed "phoning home" to Canonical (the company behind Ubuntu) to multiple servers (E.g. canonical.com, ubuntu.com, ...) for a variety of reasons without user interaction on start-up and on shut down to accomplish the following:

    • Time server updates
    • Software updates
    • Crash reports
    • ...

    Additionally, with user interaction, it is also "phoning home" for software installation purposes (the software centre), on-line searches (which you've disabled), ...

    Why and what is going on?

    As this is all open source, you can verify for yourself on http://archive.ubuntu.com/ubuntu/ or, for specific packages, by downloading the source code and seeing for yourself what is going on exactly, but answering this in detail would require a bit more text then is appropriate for a Q&A site.

    Note that Canonical is only collecting anonymous data to guide their packaging and development efforts (Canonical is more a packager then a developer), so Ubuntu is not "phoning home" in the malicious sense of the word as Canonical went through great lengths to ask your permission prior to sending personally identifiable information (E.g. it will ask you, the user if your system is allowed to send your network config with MAC addresses or your fstab with blkids when a crash occurs and Canonical needs the information for filing bug reports)

  2. There are various ways of stopping this, but the easiest way of doing so would be to add canonical.com and ubuntu.com to your local hosts file and pointing it to the local loop adapter.

    Would I do this?

    No! Ubuntu is the most common variety of Linux out there and a ton of security researchers and buffs use it as their primary OS and any malicious connections would be ousted within a few minutes of Canonical deploying it for the entire planet to see and gladly used by some large company in Redmond, WA as propaganda to use their proprietary OS...