今天我发现 ssh 服务器上有几次身份验证失败,于是我决定检查所有日志以查找可疑活动。以下是我的路由器防火墙日志(一小部分):
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=118.179.50.73 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x20 TTL=107 ID=16939 DF PROTO=TCP SPT=28279 DPT=54281 SEQ=1104099122 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=109.173.108.248 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=4775 DF PROTO=TCP SPT=53946 DPT=54281 SEQ=1573294371 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=118.179.50.73 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=16940 PROTO=UDP SPT=28273 DPT=54281 LEN=28
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=109.173.108.248 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=4776 PROTO=UDP SPT=1033 DPT=54281 LEN=28
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=195.34.75.108 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=30112 PROTO=UDP SPT=50909 DPT=54281 LEN=28
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=46.161.151.68 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=25107 DF PROTO=TCP SPT=53776 DPT=54281 SEQ=347621257 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=84.111.225.41 DST=<MyExternalIP> LEN=58 TOS=0x00 PREC=0x00 TTL=116 ID=26401 PROTO=UDP SPT=12821 DPT=54281 LEN=38
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=46.161.151.68 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=25161 PROTO=UDP SPT=41441 DPT=54281 LEN=28
Dec 12 21:24:12 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=62.105.150.126 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=7340 PROTO=UDP SPT=12168 DPT=54281 LEN=28
Dec 12 21:24:13 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=88.196.224.8 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=3059 DF PROTO=TCP SPT=50770 DPT=54281 SEQ=2242830855 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:13 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=212.20.52.84 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x20 TTL=113 ID=10982 PROTO=TCP SPT=50675 DPT=54281 SEQ=3429675197 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204058401010402)
Dec 12 21:24:13 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=88.196.224.8 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=3060 PROTO=UDP SPT=60706 DPT=54281 LEN=28
Dec 12 21:24:13 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=129.45.17.183 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=11488 DF PROTO=TCP SPT=63348 DPT=54281 SEQ=843677449 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405780103030801010402)
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=129.45.17.183 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=11489 PROTO=UDP SPT=31619 DPT=54281 LEN=28
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=109.124.25.61 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=10611 DF PROTO=TCP SPT=53604 DPT=54281 SEQ=53119836 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=77.123.52.193 DST=<MyExternalIP> LEN=52 TOS=0x10 PREC=0x80 TTL=119 ID=29732 DF PROTO=TCP SPT=64670 DPT=54281 SEQ=1393693542 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=212.20.52.84 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x20 TTL=113 ID=10983 PROTO=UDP SPT=22401 DPT=54281 LEN=28
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=77.123.52.193 DST=<MyExternalIP> LEN=48 TOS=0x10 PREC=0x80 TTL=119 ID=29733 PROTO=UDP SPT=36118 DPT=54281 LEN=28
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.130.145.208 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=18200 DF PROTO=TCP SPT=49314 DPT=54281 SEQ=3961523561 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=109.124.25.61 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=10703 PROTO=UDP SPT=16543 DPT=54281 LEN=28
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=37.57.203.228 DST=<MyExternalIP> LEN=132 TOS=0x00 PREC=0x20 TTL=56 ID=19350 PROTO=UDP SPT=8999 DPT=54281 LEN=112
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=46.149.95.146 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=23986 DF PROTO=TCP SPT=57083 DPT=54281 SEQ=2426085934 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405A00103030801010402)
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=46.149.95.146 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=23987 PROTO=UDP SPT=63090 DPT=54281 LEN=28
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.130.145.208 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=18201 PROTO=UDP SPT=21431 DPT=54281 LEN=28
Dec 12 21:24:14 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.200.239.123 DST=<MyExternalIP> LEN=58 TOS=0x00 PREC=0x00 TTL=50 ID=8283 DF PROTO=UDP SPT=2305 DPT=54281 LEN=38
Dec 12 21:24:15 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=82.193.102.250 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=4707 PROTO=UDP SPT=11408 DPT=54281 LEN=28
Dec 12 21:24:15 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=82.193.102.250 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=4708 DF PROTO=TCP SPT=59712 DPT=54281 SEQ=1602137000 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:15 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=185.202.212.89 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=23841 PROTO=UDP SPT=53432 DPT=54281 LEN=28
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=185.189.113.249 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=31100 PROTO=UDP SPT=39200 DPT=54281 LEN=28
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=185.189.113.249 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=31101 DF PROTO=TCP SPT=50522 DPT=54281 SEQ=1220006373 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020404B40103030801010402)
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=95.26.134.24 DST=<MyExternalIP> LEN=48 TOS=0x08 PREC=0x20 TTL=116 ID=22035 DF PROTO=TCP SPT=61903 DPT=54281 SEQ=1593701078 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=95.26.134.24 DST=<MyExternalIP> LEN=48 TOS=0x08 PREC=0x20 TTL=116 ID=22034 PROTO=UDP SPT=26284 DPT=54281 LEN=28
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=213.59.151.172 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12178 DF PROTO=TCP SPT=63771 DPT=54281 SEQ=930542000 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=91.76.129.8 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x20 TTL=113 ID=8550 PROTO=UDP SPT=21317 DPT=54281 LEN=28
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=91.76.129.8 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x20 TTL=113 ID=8551 DF PROTO=TCP SPT=51072 DPT=54281 SEQ=2244867843 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Dec 12 21:24:16 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=213.59.151.172 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12179 PROTO=UDP SPT=40315 DPT=54281 LEN=28
Dec 12 21:24:17 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=88.216.6.157 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=15453 DF PROTO=TCP SPT=55479 DPT=54281 SEQ=2506165195 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:17 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=88.216.6.157 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=15452 PROTO=UDP SPT=54615 DPT=54281 LEN=28
Dec 12 21:24:17 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=178.44.31.190 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x20 TTL=114 ID=10292 DF PROTO=TCP SPT=52489 DPT=54281 SEQ=3570098040 ACK=0 WINDOW=17520 RES=0x00 SYN URGP=0 OPT (020405AC0103030801010402)
Dec 12 21:24:17 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=178.44.31.190 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x20 TTL=114 ID=10293 PROTO=UDP SPT=18160 DPT=54281 LEN=28
Dec 12 21:24:17 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.200.239.123 DST=<MyExternalIP> LEN=58 TOS=0x00 PREC=0x00 TTL=50 ID=8699 DF PROTO=UDP SPT=2305 DPT=54281 LEN=38
Dec 12 21:24:17 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=195.34.75.108 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=30113 DF PROTO=TCP SPT=50598 DPT=54281 SEQ=3590616573 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:18 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=82.193.102.250 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=4709 DF PROTO=TCP SPT=59712 DPT=54281 SEQ=1602137000 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:18 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=195.34.75.108 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=30114 PROTO=UDP SPT=50909 DPT=54281 LEN=28
Dec 12 21:24:18 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=79.137.155.249 DST=<MyExternalIP> LEN=131 TOS=0x00 PREC=0x00 TTL=116 ID=11662 PROTO=UDP SPT=47493 DPT=54281 LEN=111
Dec 12 21:24:18 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=82.193.102.250 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=4710 PROTO=UDP SPT=11408 DPT=54281 LEN=28
Dec 12 21:24:18 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=84.111.225.41 DST=<MyExternalIP> LEN=58 TOS=0x00 PREC=0x00 TTL=116 ID=26771 PROTO=UDP SPT=12821 DPT=54281 LEN=38
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.180.28.179 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x20 TTL=114 ID=25301 PROTO=UDP SPT=35280 DPT=54281 LEN=28
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.180.28.179 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x20 TTL=114 ID=25302 DF PROTO=TCP SPT=64903 DPT=54281 SEQ=1266165314 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405AC0103030201010402)
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=185.189.113.249 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=31102 DF PROTO=TCP SPT=50522 DPT=54281 SEQ=1220006373 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020404B40103030801010402)
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=95.26.134.24 DST=<MyExternalIP> LEN=48 TOS=0x08 PREC=0x20 TTL=116 ID=22616 DF PROTO=TCP SPT=61903 DPT=54281 SEQ=1593701078 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=88.196.224.8 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=3061 DF PROTO=TCP SPT=50770 DPT=54281 SEQ=2242830855 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=95.26.134.24 DST=<MyExternalIP> LEN=48 TOS=0x08 PREC=0x20 TTL=116 ID=22652 PROTO=UDP SPT=26284 DPT=54281 LEN=28
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=91.76.129.8 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x20 TTL=113 ID=11838 DF PROTO=TCP SPT=51072 DPT=54281 SEQ=2244867843 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=91.76.129.8 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x20 TTL=113 ID=11845 PROTO=UDP SPT=21317 DPT=54281 LEN=28
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=185.189.113.249 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=31103 PROTO=UDP SPT=39200 DPT=54281 LEN=28
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=62.105.150.126 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=13254 DF PROTO=TCP SPT=55827 DPT=54281 SEQ=992095076 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=88.196.224.8 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=3062 PROTO=UDP SPT=60706 DPT=54281 LEN=28
Dec 12 21:24:19 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=129.45.17.183 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=109 ID=11490 DF PROTO=TCP SPT=63349 DPT=54281 SEQ=843677449 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405780103030801010402)
Dec 12 21:24:20 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=109.124.25.61 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=13024 DF PROTO=TCP SPT=53604 DPT=54281 SEQ=53119836 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Dec 12 21:24:20 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=129.45.17.183 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=11491 PROTO=UDP SPT=31619 DPT=54281 LEN=28
Dec 12 21:24:20 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.202.53.239 DST=<MyExternalIP> LEN=131 TOS=0x00 PREC=0x00 TTL=120 ID=20618 PROTO=UDP SPT=27874 DPT=54281 LEN=111
Dec 12 21:24:20 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=77.123.52.193 DST=<MyExternalIP> LEN=48 TOS=0x10 PREC=0x80 TTL=119 ID=29735 PROTO=UDP SPT=36118 DPT=54281 LEN=28
Dec 12 21:24:20 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=31.130.145.208 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=18202 DF PROTO=TCP SPT=49314 DPT=54281 SEQ=3961523561 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Dec 12 21:24:20 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=88.216.6.157 DST=<MyExternalIP> LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=15454 DF PROTO=TCP SPT=55479 DPT=54281 SEQ=2506165195 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
Dec 12 21:24:20 kernel: DROP IN=eth0 OUT= MAC=10:7b:44:58:cc:b0:00:1d:70:81:e9:00:08:00 SRC=109.124.25.61 DST=<MyExternalIP> LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=13164 PROTO=UDP SPT=16543 DPT=54281 LEN=28
我对传入请求的数量感到惊讶,我立即关闭所有设备和服务以检查是否有诸如 torrents 之类的程序生成了此请求。
但不幸的是,它并没有停止。
我决定对其进行分析,我获取了最新的约 5 分钟的日志并执行了以下操作:
cat firewall.txt | grep DROP |awk '{print $9}'| sort | uniq | wc -l查找唯一 IP。结果是1466。对我来说,这看起来像是 DDOS 攻击,但我不确定。
LEN有人可以向我解释一下路由器日志后面的列的含义吗?
我想了解发生了什么...
答案1
其中大多数是 IPv4、TCP 和 UDP 标头的字段/标志所用名称的明显缩写。
- https://en.wikipedia.org/wiki/IPv4#Header
- https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
- https://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure
字段。
IN incoming interface
OUT outgoing interface
MAC hardware address
SRC IP address in the source field in the IP header
DST IP address in the destination field of the IP header
LEN Length of the IP packet
TOS originally called Type of service, these days it is the Differentiated Services Code Point
TTL Time to live
PROTO name of protocol tcp/udp are most common
SPT Source port from tcp/udp header
DPT Destination port from tcp/udp header
DF TCP don't fragment flag
SYN TCP Syn Flag
ACK TCP Ack flag
WINDOW TCP Window
SEQ Sequency number
无论如何,大多数数据包的共同点是DPT=54281。日志中发布的大部分内容是 UDP,但其中也有一些 TCP。Google 建议,如果您有 Apple XSAN,这可能是它使用的端口。但也可能是任何其他使用该端口的服务。