我的 ubuntu 服务器运行时互联网连接速度变慢

我的 ubuntu 服务器运行时互联网连接速度变慢

我有一台运行 LAMP 和 phpmyadmin 的 Ubuntu 16.04 服务器。我安装了 git 和一个 crontab 来自动将其备份到云。我的问题是,当服务器运行时,我无法在任何其他设备上使用互联网。我有一台 Dell Optiplex GX620。任何帮助都将不胜感激。我运行了 iftop,发现以下 ip 地址的 tx 流量急剧增加。

  • 116.211.144.72
  • 183.60.203.94
  • 61.164.158.91
  • 119.167.139.11
  • 122.228.29.172
  • 219.128.79.112
  • 122.228.29.40
  • 219.128.79.112
  • 103.5.58.234
  • 183.131.212.73
  • 183.60.133.135
  • 183.131.49.38
  • 59.56.66.32
  • 211.99.224.235

我似乎每分钟都会得到一个新的 IP 地址。我检查过的 IP 地址来自中国,但我在美国。我能想到的唯一流量是 Codeanywhere、github/git 和 No-ip。有没有办法阻止来自中国的流量。我的下载和上传速度都是 100 mbps,因为我的连接是光纤。另外,你认为这是我列出的任何服务吗?

编辑:

root@buntubox-1:~# netstat -nputwa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      972/mysqld      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      896/sshd        
tcp        0      1 192.168.1.99:52398      198.204.254.253:8623    SYN_SENT    1207/sshd       
tcp        0    296 192.168.1.99:22         192.168.1.50:55597      ESTABLISHED 14947/0         
tcp        0      0 192.168.1.99:47616      164.132.4.3:6000        ESTABLISHED 928/bash        
tcp6       0      0 :::80                   :::*                    LISTEN      1198/apache2    
tcp6       0      0 :::22                   :::*                    LISTEN      896/sshd        

...

root@buntubox-1:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

更新:

我已经重新安装了操作系统。以下可以吗?

root@buntubox-001:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http /* 'dapp_Apache' */

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination  

答案1

编辑

现在您已经重新安装并获得防火墙,我建议您考虑以下事项:

  • 您是否曾从托管服务器的网络外部访问过服务器?如果没有:请不要将任何端口从路由器转发到服务器 - 它不需要接受来自互联网的入站连接。
  • 考虑安装 ClamAV并将其配置为夜间运行。
  • 安装RK猎人并将其配置为夜间运行。
  • 考虑安装根目录工具并让它每晚运行。
  • 设置失败2ban监控 SSH 尝试,它还可以用于缓解 MySQL/PHPMyAdmin 和 Apache 暴力攻击 - 您可以忽略本文的基本防火墙部分,因为您现在已经对其进行了排序。
  • 考虑安装日志监测并每天审查日志。
  • 安装安全与诊断系统- 我主要推荐这款产品和 fail2ban 及 RKHunter。Ossec 可以检测入侵,检测文件更改,旨在告诉你何时以及如何遭到黑客攻击。
  • 安装并运行Lynsis审计这将为您提供加强安全性的方法,如果您真的很偏执,请仔细研究并尽可能多地勾选它们。
  • 不允许通过 SSH 登录 root并使用密钥认证。

希望这些能有所帮助,你能做的还有很多,而且总是有的,你永远不可能完全安全,一切都是让事情变得更难,然后减轻损害。备份、将重要日志复制到其他服务器、不要暴露不需要的端口、更改默认的取消屏蔽……还有很多,但如果你只是玩玩,上面的方法应该足够了。如果你想要更多,谷歌是你的朋友,这是一个很好的开始就像这样和这个

原始答案:

理想情况下,您想知道连接挂接到哪个进程,netstat 可以告诉您。

netstat -nputwa

这将输出每个连接、TCP/UDP、输入/输出,并显示负责的 IP 及其所连接的进程。如果您确定某个 IP 正在连接到一个不应该/不需要的进程,只需在防火墙级别阻止它即可。

如果您需要帮助来破译它,请将命令的输出作为编辑发布在您的问题中。

编辑:您没有防火墙。

下面将帮助您开始,创建一个新文件/etc/iptables.firewall.rules并将其粘贴到其中:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

保存文件并运行 iptables-restore < /etc/iptables.firewall.rules

您还需要确保规则在启动时生效,为此,请创建一个文件/etc/network/if-pre-up.d/firewall并添加以下内容:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

然后最后运行:

 chmod +x /etc/network/if-pre-up.d/firewall

这将帮助您入门,您需要对 iptables 进行更多研究,特别是“允许所有出站流量 - 您可以修改它以仅允许某些流量”部分 - 我建议您将其锁定以仅允许 http 和 ssh 输出。本文底部有一个脚本,其中的命令解释了如何执行此操作。

此外,请考虑安装 Fail2Ban 和 OSSEC - 它们是攻击缓解和入侵检测系统。此外,Logwatch 之类的东西可以帮助监控、每日 rootkit 扫描,并且如果不需要的话,不会将您的服务器开放到互联网上。

如果您认为自己已被黑客入侵,最简单的方法是备份文件并重新安装操作系统 - 这次从第一天开始正确设置您的安全性。如果您觉得自己很幸运,请实施上述操作并在防火墙级别阻止您认为有风险的 IP。

iptables -A INPUT -s <ip to block> -j DROP

请注意,每次添加新文件墙时,请备份文件墙以使其持久。

iptables-save > /etc/iptables.firewall.rules

另一个好主意是使用 htop/top 查看系统上运行的进程 - 是否有可疑进程?尝试运行 RootkitHunter 和 CHRootKit - 它们会出现任何结果吗?如果是 - 清除并重新启动。

一般来说,当想要保护服务器时,另一个好主意是运行 Lynsis Audit,它会建议您采取的步骤。

另外,您说您每分钟都会获得一个新的 IP - 现在还是这样吗?如果是这样,请继续重新运行 netstat 命令,看看正在使用哪个进程?查看您的日志,您能看到传入的请求吗?如果是这样,他们在做什么?

tail -f /var/log/auth.log

tail -f /var/log/syslog

最后,请参阅您问题下关于如果被黑客入侵该怎么办的评论,无论您是否被黑客入侵,这都是一篇非常值得一读的文章。

答案2

“有什么办法可以阻止来自中国的流量吗?”

是的,例如,您可以使用 iptables 将这些 IP 范围列入黑名单:http://www.nirsoft.net/countryip/cn.html(我刚刚在谷歌上搜索了中国 IP 屏蔽列表)

相关内容