在下面的日志记录中,我将我的 eth MAC 地址替换ETH_MAC_ADDRESS
为我的服务器的 IP,MY_SERVER_IP
并将其他 IP 替换为STRANGE_IP
加号以区分。
Jan 29 15:11:48 cld kernel: [140229.731612] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_1 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=53 ID=46005 PROTO=ICMP TYPE=3 CODE=3 [SRC=MY_SERVER_IP DST=STRANGE_IP_1 LEN=79 TOS=0x00 PREC=0x00 TTL=233 ID=55136 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.790143] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47474 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=43802 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.803157] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47475 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=36766 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.816160] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47476 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=26493 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.831386] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47477 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=3269 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
如您所见,目标 IP 在记录的第一部分始终是我的服务器 IP,而源 IP 是第二部分。所有其他IP都不相同。
这持续了大约4个小时。在那段时间里,服务器的 CPU 负载非常低,甚至 SSH 连接都断开了。
ping 被 ufw 防火墙的前规则阻止。
这是DDos攻击吗?值得一提的是,几天前我们遇到了 DDos 攻击,而前一天我们尝试了 DDos 攻击,我们在 Cloudflare 仪表板中添加了防火墙规则来阻止该攻击。
有人可以解释如何识别日志中每条记录的括号 [] 中的第二部分吗?
猫 /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW的规则。
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
25/tcp ALLOW IN Anywhere
53/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
110/tcp ALLOW IN Anywhere
143/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
587/tcp ALLOW IN Anywhere
993/tcp ALLOW IN Anywhere
995/tcp ALLOW IN Anywhere
3306/tcp ALLOW IN Anywhere
8080/tcp ALLOW IN Anywhere
8081/tcp ALLOW IN Anywhere
10000/tcp ALLOW IN Anywhere
53/udp ALLOW IN Anywhere
3306/udp ALLOW IN Anywhere
2408/tcp ALLOW IN 173.245.48.0/20
2408/tcp ALLOW IN 103.21.244.0/22
2408/tcp ALLOW IN 103.22.200.0/22
2408/tcp ALLOW IN 103.31.4.0/22
2408/tcp ALLOW IN 141.101.64.0/18
2408/tcp ALLOW IN 108.162.192.0/18
2408/tcp ALLOW IN 190.93.240.0/20
2408/tcp ALLOW IN 188.114.96.0/20
2408/tcp ALLOW IN 197.234.240.0/22
2408/tcp ALLOW IN 198.41.128.0/17
2408/tcp ALLOW IN 162.158.0.0/15
2408/tcp ALLOW IN 104.16.0.0/12
2408/tcp ALLOW IN 172.64.0.0/13
2408/tcp ALLOW IN 131.0.72.0/22
22/tcp (OpenSSH) ALLOW IN Anywhere
143/tcp (Dovecot IMAP) ALLOW IN Anywhere
993/tcp (Dovecot Secure IMAP) ALLOW IN Anywhere
25/tcp (Postfix) ALLOW IN Anywhere
465/tcp (Postfix SMTPS) ALLOW IN Anywhere
587/tcp (Postfix Submission) ALLOW IN Anywhere
20/tcp (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
25/tcp (v6) ALLOW IN Anywhere (v6)
53/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
110/tcp (v6) ALLOW IN Anywhere (v6)
143/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
587/tcp (v6) ALLOW IN Anywhere (v6)
993/tcp (v6) ALLOW IN Anywhere (v6)
995/tcp (v6) ALLOW IN Anywhere (v6)
3306/tcp (v6) ALLOW IN Anywhere (v6)
8080/tcp (v6) ALLOW IN Anywhere (v6)
8081/tcp (v6) ALLOW IN Anywhere (v6)
10000/tcp (v6) ALLOW IN Anywhere (v6)
53/udp (v6) ALLOW IN Anywhere (v6)
3306/udp (v6) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
143/tcp (Dovecot IMAP (v6)) ALLOW IN Anywhere (v6)
993/tcp (Dovecot Secure IMAP (v6)) ALLOW IN Anywhere (v6)
25/tcp (Postfix (v6)) ALLOW IN Anywhere (v6)
465/tcp (Postfix SMTPS (v6)) ALLOW IN Anywhere (v6)
587/tcp (Postfix Submission (v6)) ALLOW IN Anywhere (v6)
2408/tcp ALLOW IN 2400:cb00::/32
2408/tcp ALLOW IN 2606:4700::/32
2408/tcp ALLOW IN 2803:f800::/32
2408/tcp ALLOW IN 2405:b500::/32
2408/tcp ALLOW IN 2405:8100::/32
2408/tcp ALLOW IN 2a06:98c0::/29
2408/tcp ALLOW IN 2c0f:f248::/32
更新:
还有一些奇怪的 SSH(?) 连接:
网络统计-nt | grep:22
tcp 0 69 MYSERVERIP:22 STRANGEIP_1:44930 FIN_WAIT1
tcp 0 68 MYSERVERIP:22 STRANGEIP_2:37007 ESTABLISHED
tcp 0 1 MYSERVERIP:22 STRANGEIP_3:40132 LAST_ACK
tcp 0 68 MYSERVERIP:22 STRANGEIP_4:50132 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_5:38939 ESTABLISHED
tcp 0 0 MYSERVERIP:22 MYIP:52118 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_6:43152 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_7:39321 ESTABLISHED
tcp 0 64 MYSERVERIP:22 MYIP:52001 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_8:39732 ESTABLISHED
网络统计-nputw | grep 'sshd'
tcp 0 68 MYSERVERIP:22 STRANGEIP_2:37007 ESTABLISHED 2525/sshd: unknown
tcp 0 68 MYSERVERIP:22 STRANGEIP_5:38939 ESTABLISHED 2558/sshd: unknown
tcp 0 0 MYSERVERIP:22 MYIP:52118 ESTABLISHED 15911/sshd: root@no
tcp 0 68 MYSERVERIP:22 STRANGEIP_7:39321 ESTABLISHED 2466/sshd: root [pr
tcp 0 64 MYSERVERIP:22 MYIP:52001 ESTABLISHED 15554/sshd: root@pt
tcp 0 68 MYSERVERIP:22 STRANGEIP_8:39732 ESTABLISHED 2596/sshd: unknown
以上是现在,但服务器似乎没有问题,并且 UFW 没有记录初始请求。
签入 /var/log/auth.log 后,上面的内容只是authentication failure
. 我不知道他们出现在 netstat 中。
此致
这些是标准的 ICMPv4 响应。您可以通过类型和代码准确判断目标主机正在向您的主机发送什么响应。
在这两种情况下,类型都是 3,无法到达目的地。第一种情况的代码是3,端口不可达,第二种情况的代码是1,主机不可达。第一个 ICMP 响应将导致程序返回(可能更熟悉的)错误
Connection refused
,第二个将返回错误No route to host
。诸如此类的 ICMP 响应会返回导致响应的数据包的副本。此处,该数据包显示在方括号中。它在目标端口 389 上显示从您的 IP 地址到每个远程服务器的UDP 流量。
由于每个数据包的源端口都相同,因此该流量很可能是被欺骗的:它很可能来自某个不可知的地方,并且是专门发送的,以便这些 ICMP 响应到达您的系统。这可能是一次拒绝服务的尝试,但如果是这样,那是一次非常糟糕的尝试。这也可能是试图通过虚假流量向您的服务提供商提出滥用投诉。也可能是有人试图攻击那些远程系统,并且不小心使用了您的 IP 地址而不是他自己的 IP 地址作为源。
虽然它很可能是欺骗性流量,但它实际上有可能确实来自您的系统。但是,如果有,防火墙会将它们视为对系统发起的流量的响应,并且不会阻止它们。您可能仍希望查看您的系统以确保您已处理任何可能的安全漏洞。