![tcpd[3674]: 来自未知 (未知) 的连接 - 我被黑客入侵了吗?](https://linux22.com/image/1124511/tcpd%5B3674%5D%3A%20%E6%9D%A5%E8%87%AA%E6%9C%AA%E7%9F%A5%20(%E6%9C%AA%E7%9F%A5)%20%E7%9A%84%E8%BF%9E%E6%8E%A5%20-%20%E6%88%91%E8%A2%AB%E9%BB%91%E5%AE%A2%E5%85%A5%E4%BE%B5%E4%BA%86%E5%90%97%EF%BC%9F.png)
今天早些时候,我的服务器上有 7 个 tcpd 进程长时间以 100% CPU 运行。查看 syslog 后,我发现很多行类似以下内容:
tcpd[11447]: connect from unknown (unknown)
这个问题的末尾有一个更大的片段。通过挖掘系统日志,我最终找到了几个我不认识的 IP 地址。我将它们添加到 hosts.deny 文件中,并手动终止 tcpd 进程。
我刚刚发现了来自新 IP 地址的另一个连接,我也将其终止了。
这是一种拒绝服务攻击吗?如果是,我该怎么办?
注意:此服务器运行的是 12.04 LTS,已更新了最新的安全更新。自从我最初发布此问题以来,我已经使用 ufw 安装了一些防火墙规则。我只允许 ssh 连接和异地备份所需的连接。到目前为止,我还没有看到任何上述 tcp 连接。
以下是我的系统日志的较大片段:
Feb 18 03:45:12 odie tcpd[11447]: connect from unknown (unknown)
Feb 18 03:45:12 tcpd[11447]: last message repeated 199 times
Feb 18 03:45:12 odie rsyslogd-2177: imuxsock begins to drop messages from pid 11447 due to rate-limiting
Feb 18 03:45:18 odie rsyslogd-2177: imuxsock lost 6671 messages from pid 11447 due to rate-limiting
Feb 18 03:45:18 odie tcpd[11447]: connect from unknown (unknown)
Feb 18 03:45:18 tcpd[11447]: last message repeated 199 times
Feb 18 03:45:18 odie rsyslogd-2177: imuxsock begins to drop messages from pid 11447 due to rate-limiting
Feb 18 03:45:20 odie console-kit-daemon[1928]: WARNING: Failed to add monitor on '/dev/pts/4': No space left on de
vice
Feb 18 03:45:24 odie rsyslogd-2177: imuxsock lost 6785 messages from pid 11447 due to rate-limiting
Feb 18 03:45:24 odie tcpd[11447]: connect from unknown (unknown)
Feb 18 03:45:24 tcpd[11447]: last message repeated 199 times
Feb 18 03:45:24 odie rsyslogd-2177: imuxsock begins to drop messages from pid 11447 due to rate-limiting
Feb 18 03:45:30 odie rsyslogd-2177: imuxsock lost 6810 messages from pid 11447 due to rate-limiting
Feb 18 03:45:30 odie tcpd[11447]: connect from unknown (unknown)