我收到来自我刚刚安装的 Ubuntu 服务器的 ARP 欺骗警报。
服务器有两张网卡,分别以不同的IP连接到同一个网络。
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
。
$ cat /etc/netplan/00-installer-config.yaml
network:
ethernets:
eno1:
optional: true
match:
driver: e1000e
macaddress: 80:ee:73:f5:b4:dc
addresses: [192.168.200.101/24]
routes:
- to: 192.168.200.0
via: 192.168.200.101
on-link: True
- to: default
via: 192.168.200.250
nameservers:
addresses: [192.168.230.231, 8.8.8.8]
enp1s0:
optional: true
match:
driver: igb
macaddress: 80:ee:73:f5:b4:db
addresses: [192.168.200.102/24]
routes:
- to: 192.168.200.0
via: 192.168.200.102
on-link: true
version: 2
。
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 80:ee:73:f5:b4:db brd ff:ff:ff:ff:ff:ff
inet 192.168.200.102/24 brd 192.168.200.255 scope global enp1s0
valid_lft forever preferred_lft forever
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 80:ee:73:f5:b4:dc brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
inet 192.168.200.101/24 brd 192.168.200.255 scope global eno1
valid_lft forever preferred_lft forever
。
$ ip r
default via 192.168.200.250 dev eno1 proto static
192.168.200.0/24 dev eno1 proto kernel scope link src 192.168.200.101
192.168.200.0/24 dev enp1s0 proto kernel scope link src 192.168.200.102
。
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 18b169909b80 0.0.0.0 UG 0 0 0 eno1
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0
Eset Nod32 上的消息
Date and time;Event;Action;Source;Target;Protocol;Rule/worm name;Application path;Application;Hash;User;Signer;Package name;Service
08/11/2023 11:36:00;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:01;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:02;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:03;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:04;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:05;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:06;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:07;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:08;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:09;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;
08/11/2023 11:36:10;ARP cache poisoning attack;Blocked;192.168.200.101 [80:ee:73:f5:b4:db];192.168.200.101 [80:ee:73:f5:b4 :dc];ARP;;;;;;;;