我的服务器运行的是 Fedora Core 13。有一天我发现有很多异常流量试图与外部主机发起 TCP 连接。我尝试删除默认路由和 DNS 服务器配置,但流量却从 localhost 变为 localhost。以下是我收集的一些数据:
[root@svr /]# tshark -pni lo | grep '22 \[SYN' | head
Running as user "root" and group "root". This could be dangerous.
Capturing on lo
0.000226 127.0.0.1 -> 127.0.0.1 TCP 38805 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307237 TSER=0 WS=6
0.004381 127.0.0.1 -> 127.0.0.1 TCP 38806 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307241 TSER=0 WS=6
0.009740 127.0.0.1 -> 127.0.0.1 TCP 38811 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307246 TSER=0 WS=6
0.014950 127.0.0.1 -> 127.0.0.1 TCP 38812 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307252 TSER=0 WS=6
0.018930 127.0.0.1 -> 127.0.0.1 TCP 38817 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307256 TSER=0 WS=6
0.022737 127.0.0.1 -> 127.0.0.1 TCP 38818 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307259 TSER=0 WS=6
0.026949 127.0.0.1 -> 127.0.0.1 TCP 38823 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307264 TSER=0 WS=6
0.030749 127.0.0.1 -> 127.0.0.1 TCP 38824 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307267 TSER=0 WS=6
0.034732 127.0.0.1 -> 127.0.0.1 TCP 38829 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307271 TSER=0 WS=6
0.038591 127.0.0.1 -> 127.0.0.1 TCP 38830 > 22 [SYN] Seq=0 Win=32792 Len=0 MSS=16396 TSV=141307275 TSER=0 WS=6
[root@svr /]#
[root@svr /]# lsof -n -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1821 root 3u IPv4 11689 0t0 TCP *:ssh (LISTEN)
sshd 1821 root 4u IPv6 11693 0t0 TCP *:ssh (LISTEN)
ssh 2401 root 4u IPv4 1010098785 0t0 TCP 172.17.2.128:56650->172.17.5.1:ssh (ESTABLISHED)
sshd 7126 root 3u IPv4 998744449 0t0 TCP 10.10.91.220:ssh->10.10.91.250:46490 (ESTABLISHED)
[root@svr /]#
[root@svr /]# netstat -anpt | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1821/sshd
tcp 0 0 127.0.0.1:48011 127.0.0.1:22 ESTABLISHED -
tcp 300 0 127.0.0.1:22 127.0.0.1:48011 ESTABLISHED -
tcp 0 0 10.10.91.220:22 10.10.91.250:46490 ESTABLISHED 7126/3
tcp 0 0 172.17.2.128:56650 172.17.5.1:22 ESTABLISHED 2401/ssh
tcp 0 0 :::22 :::* LISTEN 1821/sshd
所以我的问题是如何找出哪个进程正在淹没 TCP 连接?
短暂性失眠!
答案1
非常相似的问题已得到解答这里简而言之 - 要捕获 syn 状态,您应该以某种方式阻止此状态。对于您来说,类似这样的操作:
# block state transition
iptables -I OUTPUT -o lo -p tcp -m tcp --port 22 -d 127.0.0.1 --syn -j DROP
sleep <some-seconds>
netstat -anpt | grep :22
# unblock (remove first rule)
iptables -D OUTPUT 1