Squid 代理使用易受攻击的端口

tag-icon tag-icon linux networking security squid ubuntu-16.04
Squid 代理使用易受攻击的端口

我的防火墙 (Juniper SRX) 捕获了使用易受攻击的端口的出站流量,这些端口已知用于木马、Windows Backdoor 和 NHL 2013 等。有一点看起来很奇怪,那就是这些流量使用的是 ICMP 协议。这种情况每天都会发生几次。

我在 Ubuntu 16.04 上运行更新的 Squid 代理。自动更新已禁用,并且基于主机的防火墙默认拒绝入站/出站,仅允许特定 IP 的端口 80 出站。在我拿起棒球棒之前,有人可以解释或确认 Squid 行为吗?或与 HTTP 流量相关的 Ubuntu 后台行为?

以下是一天的流会话副本,除 Ubuntu 镜像 (91.189.xx) 外,其他 IP 均已隐藏。如果匹配时间戳,您会发现每次创建允许的会话时都会有一个被拒绝的会话。我当天没有运行任何更新或从主机生成 HTTP 流量,这让我想知道 Ubuntu 在后台做什么。

IP 地址

8.8.8.8 = Public IP Gateway
10.1.1.1 = Squid Proxy (RFC1918 using source NAT --> 8.8.8.8)
192.168.1.1 = Host
192.168.1.2 = Host
192.168.1.3 = Host

拒绝流量

Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1024->91.189.91.23/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1280->91.189.91.26/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1536->91.189.91.26/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny

允许流量

Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.1/60542->10.1.1.1/3128 0x0 None 192.168.1.1/60542->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan2 vlan1 42568 N/A(N/A) irb.888 UNKNOWN UNKNOWN UNKNOWN
Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.1/60544->10.1.1.1/3128 0x0 None 192.168.1.1/60544->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan2 vlan1 31115 N/A(N/A) irb.888 UNKNOWN UNKNOWN UNKNOWN
Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/49848->91.189.91.23/80 0x0 junos-http 8.8.8.8/14971->91.189.91.23/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 42939 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/44144->91.189.88.161/80 0x0 junos-http 8.8.8.8/6230->91.189.88.161/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 51879 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.2/40484->10.1.1.1/3128 0x0 None 192.168.1.2/40484->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan3 vlan1 2335 N/A(N/A) irb.999 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.2/40486->10.1.1.1/3128 0x0 None 192.168.1.2/40486->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan3 vlan1 2911 N/A(N/A) irb.999 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/60168->91.189.88.152/80 0x0 junos-http 8.8.8.8/8175->91.189.88.152/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 36604 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/55918->91.189.91.26/80 0x0 junos-http 8.8.8.8/15149->91.189.91.26/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 35417 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.3/49654->10.1.1.1/3128 0x0 None 192.168.1.3/49654->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan4 vlan1 34295 N/A(N/A) irb.777 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.3/49656->10.1.1.1/3128 0x0 None 192.168.1.3/49656->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan4 vlan1 27823 N/A(N/A) irb.777 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.3/49658->10.1.1.1/3128 0x0 None 192.168.1.3/49658->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan4 vlan1 51168 N/A(N/A) irb.777 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/55920->91.189.91.26/80 0x0 junos-http 8.8.8.8/12063->91.189.91.26/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 42058 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/45708->91.189.88.162/80 0x0 junos-http 8.8.8.8/24070->91.189.88.162/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 61718 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/45710->91.189.88.162/80 0x0 junos-http 8.8.8.8/27295->91.189.88.162/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 23309 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN

相关内容