在下面的日志记录中,我将我的 eth MAC 地址替换为ETH_MAC_ADDRESS
我的服务器的 IP,MY_SERVER_IP
并将其他 IPSTRANGE_IP
加上一个数字以便区分。
Jan 29 15:11:48 cld kernel: [140229.731612] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_1 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=53 ID=46005 PROTO=ICMP TYPE=3 CODE=3 [SRC=MY_SERVER_IP DST=STRANGE_IP_1 LEN=79 TOS=0x00 PREC=0x00 TTL=233 ID=55136 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.790143] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47474 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=43802 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.803157] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47475 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=36766 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.816160] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47476 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=26493 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.831386] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47477 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=3269 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
如您所见,目标 IP 始终是记录第一部分中的我的服务器 IP,源 IP 是第二部分。所有其他 IP 都不相同。
这种情况持续了大约 4 个小时。在此期间,服务器的 CPU 负载极低,甚至 SSH 连接也断开了。
通过 ufw 防火墙的规则之前阻止了 ping。
这是 DDos 攻击吗?值得一提的是,几天前我们遭受了一次 DDos 攻击,前一天我们又遭遇了一次 DDos 攻击,我们通过在 Cloudflare 仪表板中添加的防火墙规则阻止了该攻击。
有人能解释一下如何识别日志中每个记录括号 [] 中的第二部分吗?
猫/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW 的规则。
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
25/tcp ALLOW IN Anywhere
53/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
110/tcp ALLOW IN Anywhere
143/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
587/tcp ALLOW IN Anywhere
993/tcp ALLOW IN Anywhere
995/tcp ALLOW IN Anywhere
3306/tcp ALLOW IN Anywhere
8080/tcp ALLOW IN Anywhere
8081/tcp ALLOW IN Anywhere
10000/tcp ALLOW IN Anywhere
53/udp ALLOW IN Anywhere
3306/udp ALLOW IN Anywhere
2408/tcp ALLOW IN 173.245.48.0/20
2408/tcp ALLOW IN 103.21.244.0/22
2408/tcp ALLOW IN 103.22.200.0/22
2408/tcp ALLOW IN 103.31.4.0/22
2408/tcp ALLOW IN 141.101.64.0/18
2408/tcp ALLOW IN 108.162.192.0/18
2408/tcp ALLOW IN 190.93.240.0/20
2408/tcp ALLOW IN 188.114.96.0/20
2408/tcp ALLOW IN 197.234.240.0/22
2408/tcp ALLOW IN 198.41.128.0/17
2408/tcp ALLOW IN 162.158.0.0/15
2408/tcp ALLOW IN 104.16.0.0/12
2408/tcp ALLOW IN 172.64.0.0/13
2408/tcp ALLOW IN 131.0.72.0/22
22/tcp (OpenSSH) ALLOW IN Anywhere
143/tcp (Dovecot IMAP) ALLOW IN Anywhere
993/tcp (Dovecot Secure IMAP) ALLOW IN Anywhere
25/tcp (Postfix) ALLOW IN Anywhere
465/tcp (Postfix SMTPS) ALLOW IN Anywhere
587/tcp (Postfix Submission) ALLOW IN Anywhere
20/tcp (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
25/tcp (v6) ALLOW IN Anywhere (v6)
53/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
110/tcp (v6) ALLOW IN Anywhere (v6)
143/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
587/tcp (v6) ALLOW IN Anywhere (v6)
993/tcp (v6) ALLOW IN Anywhere (v6)
995/tcp (v6) ALLOW IN Anywhere (v6)
3306/tcp (v6) ALLOW IN Anywhere (v6)
8080/tcp (v6) ALLOW IN Anywhere (v6)
8081/tcp (v6) ALLOW IN Anywhere (v6)
10000/tcp (v6) ALLOW IN Anywhere (v6)
53/udp (v6) ALLOW IN Anywhere (v6)
3306/udp (v6) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
143/tcp (Dovecot IMAP (v6)) ALLOW IN Anywhere (v6)
993/tcp (Dovecot Secure IMAP (v6)) ALLOW IN Anywhere (v6)
25/tcp (Postfix (v6)) ALLOW IN Anywhere (v6)
465/tcp (Postfix SMTPS (v6)) ALLOW IN Anywhere (v6)
587/tcp (Postfix Submission (v6)) ALLOW IN Anywhere (v6)
2408/tcp ALLOW IN 2400:cb00::/32
2408/tcp ALLOW IN 2606:4700::/32
2408/tcp ALLOW IN 2803:f800::/32
2408/tcp ALLOW IN 2405:b500::/32
2408/tcp ALLOW IN 2405:8100::/32
2408/tcp ALLOW IN 2a06:98c0::/29
2408/tcp ALLOW IN 2c0f:f248::/32
更新:
还有一些奇怪的 SSH(?) 连接:
netstat -nt | grep :22
tcp 0 69 MYSERVERIP:22 STRANGEIP_1:44930 FIN_WAIT1
tcp 0 68 MYSERVERIP:22 STRANGEIP_2:37007 ESTABLISHED
tcp 0 1 MYSERVERIP:22 STRANGEIP_3:40132 LAST_ACK
tcp 0 68 MYSERVERIP:22 STRANGEIP_4:50132 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_5:38939 ESTABLISHED
tcp 0 0 MYSERVERIP:22 MYIP:52118 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_6:43152 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_7:39321 ESTABLISHED
tcp 0 64 MYSERVERIP:22 MYIP:52001 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_8:39732 ESTABLISHED
netstat -nputw | grep 'sshd'
tcp 0 68 MYSERVERIP:22 STRANGEIP_2:37007 ESTABLISHED 2525/sshd: unknown
tcp 0 68 MYSERVERIP:22 STRANGEIP_5:38939 ESTABLISHED 2558/sshd: unknown
tcp 0 0 MYSERVERIP:22 MYIP:52118 ESTABLISHED 15911/sshd: root@no
tcp 0 68 MYSERVERIP:22 STRANGEIP_7:39321 ESTABLISHED 2466/sshd: root [pr
tcp 0 64 MYSERVERIP:22 MYIP:52001 ESTABLISHED 15554/sshd: root@pt
tcp 0 68 MYSERVERIP:22 STRANGEIP_8:39732 ESTABLISHED 2596/sshd: unknown
以上是目前的情况,但服务器似乎没有问题,并且 UFW 没有记录初始请求。
检查 /var/log/auth.log 后,发现以上内容只是authentication failure
。我不知道它们是否在 netstat 中显示已建立。
此致
答案1
这些是标准 ICMPv4 响应。您可以通过以下方式判断类型和代码目标主机向您的主机发送的响应究竟是什么。
两种情况下的类型都是 3,目标不可达。第一种情况下的代码是 3,端口不可达,第二种情况下的代码是 1,主机不可达。第一个 ICMP 响应将导致程序返回(可能更熟悉的)错误Connection refused
,而第二个 ICMP 响应将返回错误No route to host
。
此类 ICMP 响应会返回导致响应的数据包副本。此处该数据包显示在方括号中。它显示 UDP 流量来自你的 IP 地址到每个远程服务器,目标端口为 389。
由于每个数据包的源端口都相同,因此此流量可能是伪造的:它很可能来自某个未知的地方,并且是专门发送的,以便这些 ICMP 响应能够到达您的系统。这可能是一次拒绝服务的尝试,但如果是这样的话,这是一次非常糟糕的尝试。它也可能是一种试图通过虚假流量向您的服务提供商发起滥用投诉的尝试。也可能是有人试图攻击这些远程系统,并意外地将您的 IP 地址而不是他自己的 IP 地址用作源。
虽然这很可能是伪造的流量,但也有可能它确实来自您的系统。但是,如果是这样,防火墙会将它们视为对您系统发出的流量的响应,而不会阻止它们。您可能仍希望查看您的系统,以确保您已处理任何可能的安全漏洞。