Where can I find the logs for these connections, e.g., who initialized the connections and how they are allowed/authorized (if this is the right word)?
There isn't really a general answer to this question.
Logging of this sort of information is up to specific applications (e.g., for a web server you would probably have some sort of access log, while something like ssh
will by default log to the system log).
Is this a sign of network attack?
There's not enough information here to make that determination. Consider running sudo netstat -tnp
(the -p
will show the process associated with each connection; the sudo
is necessary in order to see processes that aren't owner by your current user).
If you have questions about the output of this command, update your question to include the output.
If this indicates any possible insecurity, what should I do?
The general response to a compromise is (a) determine what permitted the ingress, then (b) erase and reinstall the system and (c) ensure the new configuration does not permit the same method of access.
But as I said earlier, at this point there's not enough information to figure out if this is something to worry about or not.