刚刚从我的 DNS 服务器的日志中注意到,显示有人通过端口 80 攻击我的服务器:
/var/log/bind.log:31-Jul-2020 03:25:50.536 query-errors: client @0x7f63345948a0 185.107.80.2#36045 (PEACECORPS.GOV): view internet: query failed (REFUSED) for PEACECORPS.GOV/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:31-Jul-2020 05:31:41.446 query-errors: client @0x7f63347273e0 144.217.34.151#53799 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:31-Jul-2020 11:28:20.928 query-errors: client @0x7f63345948a0 2.57.122.193#45066 (.): view internet: query failed (REFUSED) for ./IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:31-Jul-2020 14:21:50.516 query-errors: client @0x7f63345638a0 193.9.17.2#59905 (wzb.eu): view internet: query failed (REFUSED) for wzb.eu/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 07:51:58.756 query-errors: client @0x7f6334718db0 89.248.168.17#37241 (cpsc.gov): view internet: query failed (REFUSED) for cpsc.gov/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 18:09:37.112 query-errors: client @0x7f633801db20 83.97.20.164#21544 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:03.982 query-errors: client @0x7f6334689490 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:04.263 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:04.333 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:04.708 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:22.091 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:22.534 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:23.634 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:12:26.022 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:01.519 query-errors: client @0x7f63347d8eb0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:02.432 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:19.174 query-errors: client @0x7f63345948a0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:20.556 query-errors: client @0x7f633801db20 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:35.657 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:39.615 query-errors: client @0x7f633c0da830 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:51.414 query-errors: client @0x7f63345948a0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:13:57.623 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:14:07.363 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:14:15.991 query-errors: client @0x7f6334771730 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:14:25.212 query-errors: client @0x7f63347ca880 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:14:32.046 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:14:43.583 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:14:50.684 query-errors: client @0x7f6338289e50 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:15:01.011 query-errors: client @0x7f633c0da830 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:15:08.899 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:15:17.051 query-errors: client @0x7f63347e74e0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:15:26.382 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:15:33.001 query-errors: client @0x7f63347ca880 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:15:44.613 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:15:49.267 query-errors: client @0x7f63345948a0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:02.472 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:04.881 query-errors: client @0x7f6338289e50 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:20.139 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:21.184 query-errors: client @0x7f6334718db0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:37.295 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:37.725 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:53.255 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:16:55.799 query-errors: client @0x7f6334775120 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:17:09.169 query-errors: client @0x7f63346f2650 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:17:14.215 query-errors: client @0x7f6334771730 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:17:25.206 query-errors: client @0x7f63347d8eb0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:17:31.728 query-errors: client @0x7f633827b820 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:17:40.997 query-errors: client @0x7f63381611b0 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:17:50.548 query-errors: client @0x7f633827b820 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
/var/log/bind.log:01-Aug-2020 19:17:57.181 query-errors: client @0x7f63381dba30 37.49.224.64#80 (sl): view internet: query failed (REFUSED) for sl/IN/ANY at /bin/named/query.c:7145
想知道他们怎么能做到?
我的 DNS 服务器只允许端口 53 和 22 进入,并且还有进程通过 firewall-cmd 命令监控和阻止这些类型的 IP,如下所示:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="37.49.224.64" drop' --permanent
这通常适用于大多数攻击,但不适用于此 IP,尝试将区域从公共更改为阻止,将操作从丢弃更改为拒绝,没有任何效果。
最后我必须从外部防火墙阻止这个IP,然后最后把它拿出来。
想知道有人见过这种攻击吗?他们如何绕过本地防火墙?
任何建议将不胜感激!
您正在查看客户端查询日志,通常客户端会从一个临时端口中选择一个让您的 DNS 服务器响应。是的,您的服务器正在侦听端口 53,但您的客户端很可能会通过端口 49152 到 65535 从您的 DNS 服务器接收响应。事实上,您的查询流量源选择使用端口 80 作为回程端口是.. . 奇怪,但实际上无关紧要。我确信这是在客户端绕过网络安全的某种方法。或者任何试图滥用您的 DNS 服务器的软件的开发人员并不特别关心使用临时端口。谁知道。
至于您的防火墙,您需要运行其中一个
firewalld-cmd --reload或firewalld-cmd --complete-reload之后运行以确保规则得到处理。编辑:
需要明确的是,日志中的端口 80 根本不是指您的 DNS 服务器。这纯粹是指数据包返回客户端所需的回程。当你看到这个:
这意味着 DNS 响应将返回到 37.49.224.64:80,就像您在日志的第一行中看到的一样:
您的 DNS 服务器满足的任何 DNS 查询都返回到 185.107.80.2:36045
重申一下:没有流量通过端口 80 进入您的服务器,就像没有流量通过端口 36045 进入您的服务器一样。这些回程端口与您完全、完全、绝对无关。
从本质上讲,这是防火墙配置错误。通过 firewalld 区域、接口、规则排序或重新加载问题。
流量返回到外部 IP 的 80 端口。通常,提供的“源 IP 地址”被欺骗,并且有人试图将您的 DNS 服务器用作 DDOS 攻击的一部分——特别是反射器攻击。
您应该设置类似的东西
fail2ban来防止您的服务器被用于此类攻击。或者,为了缓解它,只需将您的防火墙配置为拒绝以下客户端端口1024。