我有一台运行 LAMP 和 phpmyadmin 的 Ubuntu 16.04 服务器。我安装了 git 和一个 crontab 来自动将其备份到云。我的问题是,当服务器运行时,我无法在任何其他设备上使用互联网。我有一台 Dell Optiplex GX620。任何帮助都将不胜感激。我运行了 iftop,发现以下 ip 地址的 tx 流量急剧增加。
- 116.211.144.72
- 183.60.203.94
- 61.164.158.91
- 119.167.139.11
- 122.228.29.172
- 219.128.79.112
- 122.228.29.40
- 219.128.79.112
- 103.5.58.234
- 183.131.212.73
- 183.60.133.135
- 183.131.49.38
- 59.56.66.32
- 211.99.224.235
我似乎每分钟都会得到一个新的 IP 地址。我检查过的 IP 地址来自中国,但我在美国。我能想到的唯一流量是 Codeanywhere、github/git 和 No-ip。有没有办法阻止来自中国的流量。我的下载和上传速度都是 100 mbps,因为我的连接是光纤。另外,你认为这是我列出的任何服务吗?
编辑:
root@buntubox-1:~# netstat -nputwa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 972/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 896/sshd
tcp 0 1 192.168.1.99:52398 198.204.254.253:8623 SYN_SENT 1207/sshd
tcp 0 296 192.168.1.99:22 192.168.1.50:55597 ESTABLISHED 14947/0
tcp 0 0 192.168.1.99:47616 164.132.4.3:6000 ESTABLISHED 928/bash
tcp6 0 0 :::80 :::* LISTEN 1198/apache2
tcp6 0 0 :::22 :::* LISTEN 896/sshd
...
root@buntubox-1:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
更新:
我已经重新安装了操作系统。以下可以吗?
root@buntubox-001:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Apache' */
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
答案1
编辑
现在您已经重新安装并获得防火墙,我建议您考虑以下事项:
- 您是否曾从托管服务器的网络外部访问过服务器?如果没有:请不要将任何端口从路由器转发到服务器 - 它不需要接受来自互联网的入站连接。
- 考虑安装 ClamAV并将其配置为夜间运行。
- 安装RK猎人并将其配置为夜间运行。
- 考虑安装根目录工具并让它每晚运行。
- 设置失败2ban监控 SSH 尝试,它还可以用于缓解 MySQL/PHPMyAdmin 和 Apache 暴力攻击 - 您可以忽略本文的基本防火墙部分,因为您现在已经对其进行了排序。
- 考虑安装日志监测并每天审查日志。
- 安装安全与诊断系统- 我主要推荐这款产品和 fail2ban 及 RKHunter。Ossec 可以检测入侵,检测文件更改,旨在告诉你何时以及如何遭到黑客攻击。
- 安装并运行Lynsis审计这将为您提供加强安全性的方法,如果您真的很偏执,请仔细研究并尽可能多地勾选它们。
- 不允许通过 SSH 登录 root并使用密钥认证。
希望这些能有所帮助,你能做的还有很多,而且总是有的,你永远不可能完全安全,一切都是让事情变得更难,然后减轻损害。备份、将重要日志复制到其他服务器、不要暴露不需要的端口、更改默认的取消屏蔽……还有很多,但如果你只是玩玩,上面的方法应该足够了。如果你想要更多,谷歌是你的朋友,这是一个很好的开始。就像这样。和这个。
原始答案:
理想情况下,您想知道连接挂接到哪个进程,netstat 可以告诉您。
netstat -nputwa
这将输出每个连接、TCP/UDP、输入/输出,并显示负责的 IP 及其所连接的进程。如果您确定某个 IP 正在连接到一个不应该/不需要的进程,只需在防火墙级别阻止它即可。
如果您需要帮助来破译它,请将命令的输出作为编辑发布在您的问题中。
编辑:您没有防火墙。
下面将帮助您开始,创建一个新文件/etc/iptables.firewall.rules
并将其粘贴到其中:
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
保存文件并运行
iptables-restore < /etc/iptables.firewall.rules
您还需要确保规则在启动时生效,为此,请创建一个文件/etc/network/if-pre-up.d/firewall
并添加以下内容:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
然后最后运行:
chmod +x /etc/network/if-pre-up.d/firewall
这将帮助您入门,您需要对 iptables 进行更多研究,特别是“允许所有出站流量 - 您可以修改它以仅允许某些流量”部分 - 我建议您将其锁定以仅允许 http 和 ssh 输出。本文底部有一个脚本,其中的命令解释了如何执行此操作。
此外,请考虑安装 Fail2Ban 和 OSSEC - 它们是攻击缓解和入侵检测系统。此外,Logwatch 之类的东西可以帮助监控、每日 rootkit 扫描,并且如果不需要的话,不会将您的服务器开放到互联网上。
如果您认为自己已被黑客入侵,最简单的方法是备份文件并重新安装操作系统 - 这次从第一天开始正确设置您的安全性。如果您觉得自己很幸运,请实施上述操作并在防火墙级别阻止您认为有风险的 IP。
iptables -A INPUT -s <ip to block> -j DROP
请注意,每次添加新文件墙时,请备份文件墙以使其持久。
iptables-save > /etc/iptables.firewall.rules
另一个好主意是使用 htop/top 查看系统上运行的进程 - 是否有可疑进程?尝试运行 RootkitHunter 和 CHRootKit - 它们会出现任何结果吗?如果是 - 清除并重新启动。
一般来说,当想要保护服务器时,另一个好主意是运行 Lynsis Audit,它会建议您采取的步骤。
另外,您说您每分钟都会获得一个新的 IP - 现在还是这样吗?如果是这样,请继续重新运行 netstat 命令,看看正在使用哪个进程?查看您的日志,您能看到传入的请求吗?如果是这样,他们在做什么?
tail -f /var/log/auth.log
tail -f /var/log/syslog
最后,请参阅您问题下关于如果被黑客入侵该怎么办的评论,无论您是否被黑客入侵,这都是一篇非常值得一读的文章。
答案2
“有什么办法可以阻止来自中国的流量吗?”
是的,例如,您可以使用 iptables 将这些 IP 范围列入黑名单:http://www.nirsoft.net/countryip/cn.html(我刚刚在谷歌上搜索了中国 IP 屏蔽列表)