成功粉碎一起来自四川的网络攻击
攻击现象
时间:2011.12.09 14:25
刚才用SecureCRT登录到公司的Linux服务器之后,不久之后再用SecureCRT重新开一屏登录报错“Connection reset by peer”,从本地Linux上使用sftp下载文件也报错:
[root@node57 backup]# sftp xxx.xx.xxx.xx
Connecting to xxx.xx.xxx.xx...
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer
[root@node57 backup]# sftp xxx.xx.xxx.xx
Connecting to xxx.xx.xxx.xx...
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer
解决过程
幸好,已经登录的那个ssh会话还没有断开,并且能正常响应,先用w命令看一下:
[root@web ~]# w
14:29:12 up 494 days, 17:58, 2 users, load average: 0.02, 0.44, 1.15
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/2 cvsbank 14:08 19.00s 0.63s 0.63s -bash
root pts/3 cvsbank 14:16 0.00s 0.33s 0.00s w
[root@web ~]#
看上去挺正常。再用netstat看一下:
[root@web ~]# netstat -anp | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2701/sshd
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3921 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3927 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3911 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3917 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3954 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3953 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3957 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3941 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3946 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3950 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3949 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3986 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3993 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3970 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3968 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3974 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3972 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3973 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3977 TIME_WAIT -
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4020 ESTABLISHED 25876/sshd: root [p
tcp 808 704 xxx.xx.xxx.xx:22 182.131.134.162:4024 ESTABLISHED 25884/sshd: [accept
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4003 ESTABLISHED 25824/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4006 ESTABLISHED 25836/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4004 ESTABLISHED 25828/sshd: root [p
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4005 ESTABLISHED 25832/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4010 ESTABLISHED 25846/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4009 ESTABLISHED 25842/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4014 ESTABLISHED 25862/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4015 ESTABLISHED 25866/sshd: root [p
tcp 0 200 xxx.xx.xxx.xx:22 yy.yyy.yy.yy:47887 ESTABLISHED 19397/3
(其中,xxx.xx.xxx.xx是服务器ip地址,yy.yyy.yy.yy是我的机器的地址。)
哇,这么多相同的地址,看来是有人试图从182.131.134.162来进行ssh登录,
到http://www.ip138.com/查下这个地址:
ip138.com IP查询(搜索IP地址的地理位置) |
您查询的IP:182.131.134.162 |
|
我现在要做的是禁止此地址访问:
[root@web ~]# iptables -I INPUT -s 182.131.134.162 -j DROP
[root@web ~]#
再来看看有没有
[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4284 ESTABLISHED 26478/sshd: root [p
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4285 ESTABLISHED 26482/sshd: root [p
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4290 ESTABLISHED 26493/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4291 ESTABLISHED 26498/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4295 ESTABLISHED 26506/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4293 ESTABLISHED 26502/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4298 ESTABLISHED 26510/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4299 ESTABLISHED 26514/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4302 ESTABLISHED 26518/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4303 ESTABLISHED 26522/sshd: root [n
杀掉这些列出的进程
[root@web ~]# kill 26478 26482 26493 26498 26506 26502 26510 26514 26518 26522
[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4284 ESTABLISHED 26481/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4285 ESTABLISHED 26489/sshd: root [n
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4290 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4291 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4295 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4293 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4298 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4299 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4302 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4303 FIN_WAIT1 -
[root@web ~]# kill 26481 26489
[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4284 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4285 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4290 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4291 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4295 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4293 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4298 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4299 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4302 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4303 FIN_WAIT1 -
[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4284 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4285 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4290 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4291 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4295 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4293 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4298 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4299 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4302 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4303 FIN_WAIT1 -
[root@web ~]#
[root@web ~]#
[root@web ~]#
[root@web ~]#
过一会再看一下:
[root@web ~]# netstat -anp | grep 182.131.134.162
[root@web ~]#
终于搞定了。ssh登录和sftp下文件都正常了。
再次列出关键命令,用于禁止某个ip地址访问服务器:
iptables -I INPUT -s 182.131.134.162 -j DROP
更多相关的做法参见
iptables封ip段linux http://profile.8j.com/question/113/40/840.htm