许多 UFW BLOCK 距离众多端口和 IP 地址很近

tag-icon tag-icon iptables firewall ufw netfilter
许多 UFW BLOCK 距离众多端口和 IP 地址很近

我的系统日志充斥着来自多个来源的大量某种类型的攻击。我查看了搜索功能中的所有其他参考文献,但没有一个涉及 TCP 且来自众多来源

Feb 16 02:44:47 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=198.235.24.14 DST=149.28.234.41 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54321 PROTO=TCP SPT=52988 DPT=8140 WINDOW=65535 RES=0x00 SYN URGP=0 
Feb 16 02:44:50 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=74.207.237.114 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=35553 PROTO=TCP SPT=51489 DPT=8009 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb 16 02:44:50 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=124.160.154.8 DST=149.28.234.41 LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=12117 DF PROTO=TCP SPT=51479 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 
Feb 16 02:44:53 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=192.241.229.19 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=52160 DPT=5357 WINDOW=65535 RES=0x00 SYN URGP=0 
Feb 16 02:45:06 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=132.232.100.64 DST=149.28.234.41 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=63737 DF PROTO=TCP SPT=41758 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 
Feb 16 02:45:46 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=205.210.31.164 DST=149.28.234.41 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=24095 PROTO=TCP SPT=53070 DPT=1026 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb 16 02:46:05 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=167.248.133.169 DST=149.28.234.41 LEN=30 TOS=0x00 PREC=0x00 TTL=41 ID=3609 PROTO=UDP SPT=65397 DPT=5632 LEN=10 
Feb 16 02:46:08 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=183.136.225.32 DST=149.28.234.41 LEN=44 TOS=0x00 PREC=0x00 TTL=107 ID=0 PROTO=TCP SPT=10183 DPT=50777 WINDOW=29200 RES=0x00 SYN URGP=0 
Feb 16 02:46:11 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=183.136.225.42 DST=149.28.234.41 LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=18631 PROTO=UDP SPT=62177 DPT=520 LEN=32 
Feb 16 02:46:18 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=71.6.233.243 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=2086 DPT=2086 WINDOW=65535 RES=0x00 SYN URGP=0 
Feb 16 02:46:24 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=103.161.173.176 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=11607 PROTO=TCP SPT=45846 DPT=5060 WINDOW=1024 RES=0x00 SYN URGP=0

它们看起来无害或至少是良性的,但我仍然想解决这个问题。

有什么办法可以阻止来自如此多来源的攻击吗?每次都是新的IP和端口。

ufw 可以用来识别数据包签名然后丢弃吗?深度数据包检查或至少读取标头?

除了什么都不做之外,解决这些问题的最佳方法是什么?

更新:

防火墙规则。

~$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N f2b-sshd
-N f2b-ufw
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -j f2b-ufw
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 465 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -s 218.92.0.52/32 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 995 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

相关内容