UFW 奇怪的 ICMP 日志记录 - Ping 被阻止

UFW 奇怪的 ICMP 日志记录 - Ping 被阻止

在下面的日志记录中,我将我的 eth MAC 地址替换为ETH_MAC_ADDRESS我的服务器的 IP,MY_SERVER_IP并将其他 IPSTRANGE_IP加上一个数字以便区分。

Jan 29 15:11:48 cld kernel: [140229.731612] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_1 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=53 ID=46005 PROTO=ICMP TYPE=3 CODE=3 [SRC=MY_SERVER_IP DST=STRANGE_IP_1 LEN=79 TOS=0x00 PREC=0x00 TTL=233 ID=55136 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.790143] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47474 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=43802 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.803157] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47475 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=36766 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.816160] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47476 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=26493 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.831386] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47477 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=3269 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ] 

如您所见,目标 IP 始终是记录第一部分中的我的服务器 IP,源 IP 是第二部分。所有其他 IP 都不相同。

这种情况持续了大约 4 个小时。在此期间,服务器的 CPU 负载极低,甚至 SSH 连接也断开了。

通过 ufw 防火墙的规则之前阻止了 ping。

这是 DDos 攻击吗?值得一提的是,几天前我们遭受了一次 DDos 攻击,前一天我们又遭遇了一次 DDos 攻击,我们通过在 Cloudflare 仪表板中添加的防火墙规则阻止了该攻击。

有人能解释一下如何识别日志中每个记录括号 [] 中的第二部分吗?

猫/etc/ufw/before.rules

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

UFW 的规则。

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
20/tcp                     ALLOW IN    Anywhere
21/tcp                     ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
25/tcp                     ALLOW IN    Anywhere
53/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
110/tcp                    ALLOW IN    Anywhere
143/tcp                    ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
587/tcp                    ALLOW IN    Anywhere
993/tcp                    ALLOW IN    Anywhere
995/tcp                    ALLOW IN    Anywhere
3306/tcp                   ALLOW IN    Anywhere
8080/tcp                   ALLOW IN    Anywhere
8081/tcp                   ALLOW IN    Anywhere
10000/tcp                  ALLOW IN    Anywhere
53/udp                     ALLOW IN    Anywhere
3306/udp                   ALLOW IN    Anywhere
2408/tcp                   ALLOW IN    173.245.48.0/20
2408/tcp                   ALLOW IN    103.21.244.0/22
2408/tcp                   ALLOW IN    103.22.200.0/22
2408/tcp                   ALLOW IN    103.31.4.0/22
2408/tcp                   ALLOW IN    141.101.64.0/18
2408/tcp                   ALLOW IN    108.162.192.0/18
2408/tcp                   ALLOW IN    190.93.240.0/20
2408/tcp                   ALLOW IN    188.114.96.0/20
2408/tcp                   ALLOW IN    197.234.240.0/22
2408/tcp                   ALLOW IN    198.41.128.0/17
2408/tcp                   ALLOW IN    162.158.0.0/15
2408/tcp                   ALLOW IN    104.16.0.0/12
2408/tcp                   ALLOW IN    172.64.0.0/13
2408/tcp                   ALLOW IN    131.0.72.0/22
22/tcp (OpenSSH)           ALLOW IN    Anywhere
143/tcp (Dovecot IMAP)     ALLOW IN    Anywhere
993/tcp (Dovecot Secure IMAP) ALLOW IN    Anywhere
25/tcp (Postfix)           ALLOW IN    Anywhere
465/tcp (Postfix SMTPS)    ALLOW IN    Anywhere
587/tcp (Postfix Submission) ALLOW IN    Anywhere
20/tcp (v6)                ALLOW IN    Anywhere (v6)
21/tcp (v6)                ALLOW IN    Anywhere (v6)
22/tcp (v6)                ALLOW IN    Anywhere (v6)
25/tcp (v6)                ALLOW IN    Anywhere (v6)
53/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
110/tcp (v6)               ALLOW IN    Anywhere (v6)
143/tcp (v6)               ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)
587/tcp (v6)               ALLOW IN    Anywhere (v6)
993/tcp (v6)               ALLOW IN    Anywhere (v6)
995/tcp (v6)               ALLOW IN    Anywhere (v6)
3306/tcp (v6)              ALLOW IN    Anywhere (v6)
8080/tcp (v6)              ALLOW IN    Anywhere (v6)
8081/tcp (v6)              ALLOW IN    Anywhere (v6)
10000/tcp (v6)             ALLOW IN    Anywhere (v6)
53/udp (v6)                ALLOW IN    Anywhere (v6)
3306/udp (v6)              ALLOW IN    Anywhere (v6)
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)
143/tcp (Dovecot IMAP (v6)) ALLOW IN    Anywhere (v6)
993/tcp (Dovecot Secure IMAP (v6)) ALLOW IN    Anywhere (v6)
25/tcp (Postfix (v6))      ALLOW IN    Anywhere (v6)
465/tcp (Postfix SMTPS (v6)) ALLOW IN    Anywhere (v6)
587/tcp (Postfix Submission (v6)) ALLOW IN    Anywhere (v6)
2408/tcp                   ALLOW IN    2400:cb00::/32
2408/tcp                   ALLOW IN    2606:4700::/32
2408/tcp                   ALLOW IN    2803:f800::/32
2408/tcp                   ALLOW IN    2405:b500::/32
2408/tcp                   ALLOW IN    2405:8100::/32
2408/tcp                   ALLOW IN    2a06:98c0::/29
2408/tcp                   ALLOW IN    2c0f:f248::/32

更新:

还有一些奇怪的 SSH(?) 连接:

netstat -nt | grep :22

tcp        0     69 MYSERVERIP:22        STRANGEIP_1:44930      FIN_WAIT1
tcp        0     68 MYSERVERIP:22        STRANGEIP_2:37007      ESTABLISHED
tcp        0      1 MYSERVERIP:22        STRANGEIP_3:40132      LAST_ACK
tcp        0     68 MYSERVERIP:22        STRANGEIP_4:50132   ESTABLISHED
tcp        0     68 MYSERVERIP:22        STRANGEIP_5:38939      ESTABLISHED
tcp        0      0 MYSERVERIP:22        MYIP:52118      ESTABLISHED
tcp        0     68 MYSERVERIP:22        STRANGEIP_6:43152     ESTABLISHED
tcp        0     68 MYSERVERIP:22        STRANGEIP_7:39321   ESTABLISHED
tcp        0     64 MYSERVERIP:22        MYIP:52001      ESTABLISHED
tcp        0     68 MYSERVERIP:22        STRANGEIP_8:39732      ESTABLISHED

netstat -nputw | grep 'sshd'

tcp        0     68 MYSERVERIP:22        STRANGEIP_2:37007      ESTABLISHED 2525/sshd: unknown
tcp        0     68 MYSERVERIP:22        STRANGEIP_5:38939      ESTABLISHED 2558/sshd: unknown
tcp        0      0 MYSERVERIP:22        MYIP:52118      ESTABLISHED 15911/sshd: root@no
tcp        0     68 MYSERVERIP:22        STRANGEIP_7:39321   ESTABLISHED 2466/sshd: root [pr
tcp        0     64 MYSERVERIP:22        MYIP:52001      ESTABLISHED 15554/sshd: root@pt
tcp        0     68 MYSERVERIP:22        STRANGEIP_8:39732      ESTABLISHED 2596/sshd: unknown

以上是目前的情况,但服务器似乎没有问题,并且 UFW 没有记录初始请求

检查 /var/log/auth.log 后,发现以上内容只是authentication failure。我不知道它们是否在 netstat 中显示已建立。

此致

答案1

这些是标准 ICMPv4 响应。您可以通过以下方式判断类型和代码目标主机向您的主机发送的响应究竟是什么。

两种情况下的类型都是 3,目标不可达。第一种情况下的代码是 3,端口不可达,第二种情况下的代码是 1,主机不可达。第一个 ICMP 响应将导致程序返回(可能更熟悉的)错误Connection refused,而第二个 ICMP 响应将返回错误No route to host

此类 ICMP 响应会返回导致响应的数据包副本。此处该数据包显示在方括号中。它显示 UDP 流量来自你的 IP 地址到每个远程服务器,目标端口为 389。

由于每个数据包的源端口都相同,因此此流量可能是伪造的:它很可能来自某个未知的地方,并且是专门发送的,以便这些 ICMP 响应能够到达您的系统。这可能是一次拒绝服务的尝试,但如果是这样的话,这是一次非常糟糕的尝试。它也可能是一种试图通过虚假流量向您的服务提供商发起滥用投诉的尝试。也可能是有人试图攻击这些远程系统,并意外地将您的 IP 地址而不是他自己的 IP 地址用作源。

虽然这很可能是伪造的流量,但也有可能它确实来自您的系统。但是,如果是这样,防火墙会将它们视为对您系统发出的流量的响应,而不会阻止它们。您可能仍希望查看您的系统,以确保您已处理任何可能的安全漏洞。

相关内容