大约一个月前,我的一台服务器开始收到来自世界各地 IP 的随机数据包。因此,我做了一件聪明的事,不再推迟安装 IDS。此 IDS 是 ClearOS 网关,附带 Snort 和 SnortSam。我启用了它和所有分类。其中有“网络扫描”分类,这意味着它应该检测端口扫描等
总共开放了 4 个端口,其中两个转发到我所说的服务器。这些端口是 3724 和 8085,因此在端口扫描中不容易检测到它们。
然而,检查该服务器的一些日志后,我发现攻击正在恢复。我发现了
...
Accepting connection from '75.166.155.122'
[Auth] got unknown packet from '75.166.155.122'
Accepting connection from '98.164.154.93'
[Auth] got unknown packet from '98.164.154.93'
Ping MySQL to keep connection alive
Accepting connection from '70.241.195.129'
[Auth] got unknown packet from '70.241.195.129'
Accepting connection from '67.182.229.169'
[Auth] got unknown packet from '67.182.229.169'
Accepting connection from '69.137.140.38'
[Auth] got unknown packet from '69.137.140.38'
Accepting connection from '76.31.72.55'
[Auth] got unknown packet from '76.31.72.55'
Accepting connection from '97.88.139.39'
[Auth] got unknown packet from '97.88.139.39'
Accepting connection from '173.35.62.112'
[Auth] got unknown packet from '173.35.62.112'
Accepting connection from '187.15.10.73'
[Auth] got unknown packet from '187.15.10.73'
Accepting connection from '66.66.94.124'
[Auth] got unknown packet from '66.66.94.124'
Accepting connection from '75.159.219.124'
[Auth] got unknown packet from '75.159.219.124'
Accepting connection from '99.102.100.82'
[Auth] got unknown packet from '99.102.100.82'
Accepting connection from '24.128.240.45'
[Auth] got unknown packet from '24.128.240.45'
Accepting connection from '99.231.7.39'
[Auth] got unknown packet from '99.231.7.39'
Accepting connection from '206.255.79.56'
[Auth] got unknown packet from '206.255.79.56'
Accepting connection from '68.97.106.235'
[Auth] got unknown packet from '68.97.106.235'
Accepting connection from '69.134.67.251'
[Auth] got unknown packet from '69.134.67.251'
Accepting connection from '63.228.138.186'
[Auth] got unknown packet from '63.228.138.186'
Accepting connection from '184.39.146.193'
[Auth] got unknown packet from '184.39.146.193'
Accepting connection from '69.171.161.102'
[Auth] got unknown packet from '69.171.161.102'
Accepting connection from '76.0.47.228'
[Auth] got unknown packet from '76.0.47.228'
Ping MySQL to keep connection alive
Accepting connection from '126.112.201.14'
[Auth] got unknown packet from '126.112.201.14'
Ping MySQL to keep connection alive
现在我害怕了。为什么 Snort 没有检测到这个?他们如何找到这个特定的端口?
更重要的是,这些包裹里通常包含什么?我应该担心这个吗?我该如何阻止这种情况?
答案1
与大多数 IDS 一样,Snort 是一项非常复杂的技术,需要付出大量努力才能开始产生有用的结果。调整需要花费大量时间来分析警报,以及您有哪些可用的服务,以便您可以确定需要启用哪些规则集,哪些规则集需要禁用。知道您特别对两项服务感兴趣确实有助于缩小对您有用的范围。
查看官方 SourceFire 规则以及第三方规则新兴威胁,我发现的唯一警报是匹配魔兽世界登录成功和失败。我会首先搜索SourceFire 规则网站为您提供服务。您也可以从阅读 sfPortscan 预处理器中获益手动的。
不幸的是,我不太了解 ClearOS 以及他们如何包装应用程序的管理。但是,一旦你理解了冗长的语法,snort 应用程序实际上相当容易理解。