Little Snitch Comes To Linux To Expose What Your Software Is Really Doing

BrianFagioli writes: Little Snitch, the well known macOS tool that shows which applications are connecting to the internet, is now being developed for Linux. The developer says the project started after experimenting with Linux and realizing how strange it felt not knowing what connections the system was making. Existing tools like OpenSnitch and various command line utilities exist, but none provided the same simple experience of seeing which process is connecting where and blocking it with a click. The Linux version uses eBPF for kernel level traffic interception, with core components written in Rust and a web based interface that can even monitor remote Linux servers.

During testing on Ubuntu, the developer noticed the system was relatively quiet on the network. Over the course of a week, only nine system processes made internet connections. By comparison, macOS reportedly showed more than one hundred processes communicating externally. Applications behave similarly across platforms though. Launching Firefox immediately triggered telemetry and advertising related connections, while LibreOffice made no network connections at all during testing. The early release is meant primarily as a transparency tool to show what software is doing on the network rather than a hardened security firewall.

lsof -i ?

[Fly Swatter]

I guess this will be logging that type of data, so another data logger.

Re:lsof -i ?

[nightflameauto]

I guess this will be logging that type of data, so another data logger.

Combined with entries for whichever of the various firewall tools you may be using for the "one click to block" part. People like their visual tools. I'd prefer the command line myself, but I won't complain too much about somebody coming to Linux and creating their own utility right off the bat. Seems very in the right frame of mind at least.

Re:

[Anonymous Coward]

lsof -i won't catch short-lived connections the way eBPF will

Re:lsof -i ?

[tlhIngan]

I guess this will be logging that type of data, so another data logger.

Little Snitch is not a data logger. It's a real time connection monitor.

Let's say you're using an app, and it decides to make a random connection to some server. Little Snitch will immediately pop up a dialog asking what you want it to do - let the connection through, block the connection, and if you want to allow it always, block it always, etc.

The fact it's immediate generally is for tracking purposes - the event happened because you clicked a button or started an app. A logger just makes an entry in the log, and it's really hard to correlate that log with user activity. Maybe you were running Audacity, and when you start it up, it makes a connection to the owner's server completely out of the blue. Maybe it's checking for an update. Maybe it's trying to upload your data to its servers. What you learn is that it happened when it was launching. With a data logger, you just get notified of it but have no way to figure out what you were doing at the time of the log entry.

In this day and age of telemetry and such, having it show up immediately when an app tries to make the connection is far more useful than having to do rules of allow and deny lists and having no clue what's causing it. Knowing it was a specific app uploading all your personal information means you can choose to switch to something better, block the upload so you can continue to use the app, or some other thing.

isolated sandbox by default?

[will4]

Given the constant Sev 1 exploits published on a weekly basis, why aren't applications and third party system services, isolated by default so that they have limited access to the filesystem, internet connections, system tables, ....?

Re:

[codebase7]

Because PCs have a different workload requirement and expectations of those using them.

If you require hand holding because you have no idea how the thing works and have no desire to learn, go use a device that has those protections in place by default.

If you need to run a workload that's incompatible with those protections, then either rewrite / redesign and then rewrite the workload to be compliant (hard / expensive), or use a device that doesn't have those protections and take appropriate precautions

isolated services

[will4]

Exhibit A: Windows Subsystem for Linux (API intercept and thunk layer)
Exhibit B: Windows machine support for hypervisor

Microsoft can require software vendors to restructure their applications to work in a sandbox and require those applications to not force an OS level system service used just to update the desktop application.

It'd take a decade to get there (isolated binary folder, isolated data file folder, isolated registry, isolated firewall entries, ...) but progress towards that can be made.

I'd expect

Is there a windows version

[karlandtanya]

Or would that just be a firehose?
Who watches the watchers?

Re:Is there a windows version

[drinkypoo]

You can't trust the Windows kernel, so you need a component external to the system as well.

Re:

[zlives]

so you can't trust windows...

Re: Is there a windows version

[toutankh]

Just like in Russia

Re:

[codebase7]

Which one? Secure Boot in UEFI? Linux as a hypervisor? Or the Secured Core running with TPM validation? (Except at the first IPL instructions....)

Re:

[drinkypoo]

Running Windows in a virtual machine under linux with an emulated TPM is one reasonable way to keep it relatively under control, I guess. But the graphics drivers are, shall we say, low on features.

Re:Is there a windows version

[SumDog]

I've used "Windows Firewall Control" for years; have an actual license that worked on Win8 and 10 without needing an upgrade. It's not as good as Little Snitch as it will block the connection, not hold it. You then have to select the enable/disable and it adds the rule to the built-in Windows firewall and run the application again. (Little Snitch won't drop the connection, just block the calling process. After you select what to do, the network connection continues as normal).

Re:

[ArchieBunker]

I used to use this https://learn.microsoft.com/en... [microsoft.com]

ZoneAlarm

[JBMcB]

ZoneAlarm used to be the go-to for this. Kinda like the NoScript browser extension for internet connections. Everything is blocked until you explicitly allow it. It used to be pretty comprehensive, but I don't know how much of the network it can control, as I know Microsoft has been disallowing easy network control access to 3rd parties since Windows 10.

Re: ZoneAlarm

[snookiex]

+1 Informative. I used it extensively in the early 00's, and it was awesome. Now it seems Checkpoint bought it and turned it into a bloated antivirus suite with AI stuck everywhere.

Re:

[jjhall]

I used a product back in the Win95/98 days, maybe called @Guard, which if I remember right was purchased and got rebranded and updated to ZoneAlarm. Either that or @Guard was discontinued and ZoneAlarm happened to be the competing product at the time. I just remember being disappointed because the former was a lot better than the latter. ZoneAlarm was decent, but I remember not really caring for it all that much.

Wireshark - ?

[evil_aaronm]

Isn't this what Wireshark is for? Or at least one of its many purposes?

Re:

[The-Ixian]

Can you use Wireshark to block the specific traffic?

Re:Wireshark - ?

[SumDog]

LittleSnitch (and I guess open snitch?) show you whenever a process attempts to make an outbound connection and lets you define a rule about if you want to allow it. It's not just a monitor, it actively forces you to approve or deny every program's connection to the Internet the first time you run it.

Re:

[Koyaanisqatsi]

Interesting, GRC (Steve Gibson, IIRC) used to have something like that for Windows way back when.

It was nice to be able to keep tabs on what apps were doing, but of course, it was a different era, one where you ran "programs" and they were mostly self-contained and offline.

Nowadays you run a stripped-down web browser and everything you do is backed by some remote API or another.

Re:

[evil_aaronm]

Ok, this sounds pretty cool, and the easy-filtering makes it way more useful.

Re:

[echo123]

Isn't this what Wireshark is for? Or at least one of its many purposes?

Or a hostlist. Where's that hostlist person on the slashdots when you need them?

Re:

[Pascoea]

Oh god, you're talking about the hosts-file guy? I forgot about them.

Re:

[zlives]

oh so iwas not the only one thinking that route :)

Re:

[unrtst]

Isn't this what Wireshark is for? Or at least one of its many purposes?

Or a hostlist. Where's that hostlist person on the slashdots when you need them?

A hosts file can't differentiate between traffic from process A going to destination A and traffic from process B going to destination A, but things like Little Snitch can. IE: you could allow Pine to reach your mail server while blocking Mutt from reaching the same mail server.

Re:

[IWantMoreSpamPlease]

The original APK guy finally got banned (and his IP range blacklisted) many years ago, which is kind of sad because he had the right idea(s) just went about advertising it the wrong way

Re:

[echo123]

What exactly does Littlesnitch accomplish that pihole or piVPN does not accomplish? The latter are free, open-source code.

Re:

[Pascoea]

Isn't this what Wireshark is for?

To be fair, the answer for me would be "yeah, but."

I've used Wireshark a couple of times for various tasks. I, personally, found it incredibly useful but the learning curve to be fairly steep. The sheer amount of data generated is overwhelming, especially if the only question I care about is "what is talking to who". I don't care what they are talking about, I just want to know who.

The short version: Sometimes a simpler specific tool is better. I know I could answer that question with wireshark, but th

Re:

[zlives]

maybe you are thinking of hostfiles... haven't seen that dude in a while

Re:

[Moridineas]

It's really nice software. You don't just get a visualization of current connections, you can get popup of new notifications AND the option to set up incoming/outgoing rules. Something like "Firefox is attempting to access slashdot.org port 443:

Allow Once
Allow Firefox to connect to slashdot.org port 443 any time
Allow Firefox to connect to any server port 443 any time
Allow Firefox to connect to any server, any port any time
Deny Firefox all connections

When I got my first Mac laptop, around 2004, Little Snitch

Eww

[liqu1d]

Just seems like an ad pretending to be a story. There's already ways of finding this out.

Re:

[The-Ixian]

Yeah, but that's basically every news story.

There is an entire ice berg worth of decision making and financial incentives behind every story.

Re:

[noshellswill]

Ways exist, but not as clean-cut/easy as this ZONE-ALARM work-alike. Long overdue for Linux systems.

Re:

[ack154]

Just seems like an ad pretending to be a story. There's already ways of finding this out.

This guy submits all of his own stories just spamming his own website and they keep getting posted. So it may not directly be an ad for this Little Snitch, but it's definitely "nerds.xyz" spam.

Used to use Norton for this

[AndrewZX]

In the dial up era Norton utilities would track and optionally block apps connecting to the internet. This was for Windows.

Re:

[ard]

Zone Alarm was another similar software.

Awesome!

[jenningsthecat]

I'm looking forward to using this. The subject wasn't even on my radar - to my eternal shame - but now that it is I'm happy about the opportunit to lock down my laptop.

Re:Awesome!

[Dixie_Flatline]

In the Mac space, a lot of malware just gives up if it detects Little Snitch is running. It's a really effective tool, and honestly, the cost is so minimal compared to the value. I've been running it for years, and I appreciate how much junk traffic I can block.

Re: Awesome!

[in70x]

Install bandwhich. Itâ(TM)s not a firewall but gives valuable insights into what process is connecting to who and how much data itâ(TM)s sending and receiving . Kind of like a TUI lsof on crackâ¦.

Re:

[Teun]

DuckDuckGo on Android can/is blocking tracking by apps via a local VPN.
It is a quiet process, only the number of blocked attempt per app is shown.
I hope this is a nice option for Linux.

Seems an idea worth a punt

[RockDoctor]

I like to keep an eye on my network exposure.

What process locks which file

[sourcerror]

On the same note, it would be nice to have a tool (preferably integrated into explorer and the task manager) on Windows that tells you which process locked a given file and vica versa.

Re:

[sourcerror]

Look things up a bit: Power Toys/Locksmith can do this but this should be a built-in feature not some addon.

Re:

[pjt33]

Process Explorer [microsoft.com]. Not quite as integrated as you'd like, but it lets you search for any handle, including part of a filename, to see which process(es) are holding it.

Re: What does this bring to the table?

[greytree]

What does it bring ? Profit, for them, from Closed Source code.

Although how you can actually write an app like this in a Clean Room with no open source contamination ...

Re:

[ard]

It brings user friendliness.

And you are missing the main feature, which is pre-approval of connections rather than "see which processes are opening which sockets" - then it's already too late to stop data exfiltration.

Yes, you can do this with iptables, mitm-cli tools, or opensnitch, but obviously there is a need/market for more user friendly interface.

man lsof -or- appropos list open connections

[angel'o'sphere]

Unix (that includes Linux and obviously Macs) have a command called "lsof".
"ls" is short for list and "of" is for "open files. List open files.

A port is considered a file, and depending how the device tree mapping to names works, they are also in the device tree.

The output might be overwhelming, but if you only want to see open ports and do not care about extra firewall features and user interaction, then lsof might be enough, especially considering the many command line options.

Re:

[Moridineas]

It's really not the same thing. See my other post https://linux.slashdot.org/comments.pl?sid=23961458&cid=66085502 [slashdot.org]

I don't know how it will work with all the different firewalling options, etc., with Linux, but that's what makes it special for macOS (which comes with lsof, tcpdump, etc.)

Re:

[unrtst]

lsof is point in time, not monitoring.

Let's say you keep seeing an intrusion attempt on your NAS from your laptop. You run lsof on your laptop, but don't see anything connecting to the NAS. You can keep running it every 10 seconds and never see it, while something could be making very short lived connection attempts that you're missing.

Personally, for something like that, I just add some firewall rules to log only and watch the counts on them or check the log records. But that's also after the fact, and req

Re:

[angel'o'sphere]

Good points.

Any idea how LittleSnitch works? I would assume via DTrace?

Re:

[unrtst]

Good points.

Any idea how LittleSnitch works? I would assume via DTrace?

From TFS:
"The Linux version uses eBPF for kernel level traffic interception, with core components written in Rust and a web based interface that can even monitor remote Linux servers."

Re:

[higuita]

think this as wireshark and lsof/netstat/ss had a child

it sniff network traffic via the kernel, show what connections open and close and log them per PID ... finally, show that in a nice web interface

So wireshark without dumping ALL the traffic payload, that can identify to what PID it belongs and all in real time, something lsof/netstat/ss can only show in THAT exact moment, not during time (so fail to detect short live requests)

Need one for iOS too.

[antdude]

iOS doesn't have an option to block wifi connections for apps. Only cellular. :(

Application Firewall

[ledow]

Okay, so...

Back in the day, on Windows... 98 through to about 7? I used to use ZoneAlarm on my Windows machines.

Was that because we didn't have a network firewall at home? No. We did. In fact, I used to do quite a bit with Freesco (a single-floppy Linux router distro, designed to replace Cisco routers with commodity PCs). Our networking was DAMN good for a home network.

But I liked to use it because it would POP UP and tell you something was using the Internet. What port. To what domain/IP. That it w

systemd-resolved

[djgl]

What about services that access the internet on behalf of other applications? If you use systemd-resolved, like many modern distributions, all applications will connect to the local service to perform DNS lookups. On older systems you might find nscd doing the same, although the reason and method are different.

To which process does Little Snitch map these requests?

Little Snitch is pretty good.

[Qbertino]

As far as userland software firewalls go, Little Snitch is pretty awesome. It has a very neat approachable shiny clicky UI and comes with a ton of useful and very easily accessible features. It's often used by mac users to prevent software from phoning home, but it has a slew of other tracking and logging features. To be honest, I wouldn't mind dropping a few bucks for this sort of thing, even if Linux is likely to have some tool that works in a similar fashion but requires CLI skills and lacks a neat UI. A