Linux安全网 - Linux操作系统_Linux 命令_Linux教程_Linux黑客

绿色网站无广告
会员投稿 投稿指南 本期推荐:
搜索:
您的位置: Linux安全网 > Linux培训 > » 正文

成功粉碎一起来自四川的网络攻击

来源: codingstandards 分享至:

成功粉碎一起来自四川的网络攻击

攻击现象

时间:2011.12.09 14:25

刚才用SecureCRT登录到公司的Linux服务器之后,不久之后再用SecureCRT重新开一屏登录报错“Connection reset by peer”,从本地Linux上使用sftp下载文件也报错:

[root@node57 backup]# sftp xxx.xx.xxx.xx
Connecting to xxx.xx.xxx.xx...
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer

[root@node57 backup]# sftp xxx.xx.xxx.xx
Connecting to xxx.xx.xxx.xx...
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer

解决过程

幸好,已经登录的那个ssh会话还没有断开,并且能正常响应,先用w命令看一下:

[root@web ~]# w
14:29:12 up 494 days, 17:58, 2 users, load average: 0.02, 0.44, 1.15
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/2 cvsbank 14:08 19.00s 0.63s 0.63s -bash
root pts/3 cvsbank 14:16 0.00s 0.33s 0.00s w
[root@web ~]#

看上去挺正常。再用netstat看一下:

[root@web ~]# netstat -anp | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2701/sshd
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3921 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3927 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3911 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3917 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3954 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3953 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3957 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3941 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3946 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3950 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3949 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3986 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3993 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3970 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3968 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3974 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3972 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3973 TIME_WAIT -
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:3977 TIME_WAIT -
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4020 ESTABLISHED 25876/sshd: root [p
tcp 808 704 xxx.xx.xxx.xx:22 182.131.134.162:4024 ESTABLISHED 25884/sshd: [accept
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4003 ESTABLISHED 25824/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4006 ESTABLISHED 25836/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4004 ESTABLISHED 25828/sshd: root [p
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4005 ESTABLISHED 25832/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4010 ESTABLISHED 25846/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4009 ESTABLISHED 25842/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4014 ESTABLISHED 25862/sshd: root [p
tcp 0 0 xxx.xx.xxx.xx:22 182.131.134.162:4015 ESTABLISHED 25866/sshd: root [p
tcp 0 200 xxx.xx.xxx.xx:22 yy.yyy.yy.yy:47887 ESTABLISHED 19397/3

(其中,xxx.xx.xxx.xx是服务器ip地址,yy.yyy.yy.yy是我的机器的地址。)

哇,这么多相同的地址,看来是有人试图从182.131.134.162来进行ssh登录,

到http://www.ip138.com/查下这个地址:

ip138.com IP查询(搜索IP地址的地理位置)

您查询的IP:182.131.134.162

  • 本站主数据:四川省广安市 电信
  • 参考数据一:四川省成都市 电信

我现在要做的是禁止此地址访问:

[root@web ~]# iptables -I INPUT -s 182.131.134.162 -j DROP
[root@web ~]#

再来看看有没有

[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4284 ESTABLISHED 26478/sshd: root [p
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4285 ESTABLISHED 26482/sshd: root [p
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4290 ESTABLISHED 26493/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4291 ESTABLISHED 26498/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4295 ESTABLISHED 26506/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4293 ESTABLISHED 26502/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4298 ESTABLISHED 26510/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4299 ESTABLISHED 26514/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4302 ESTABLISHED 26518/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4303 ESTABLISHED 26522/sshd: root [n

杀掉这些列出的进程
[root@web ~]# kill 26478 26482 26493 26498 26506 26502 26510 26514 26518 26522
[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4284 ESTABLISHED 26481/sshd: root [n
tcp 0 84 xxx.xx.xxx.xx:22 182.131.134.162:4285 ESTABLISHED 26489/sshd: root [n
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4290 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4291 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4295 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4293 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4298 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4299 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4302 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4303 FIN_WAIT1 -
[root@web ~]# kill 26481 26489
[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4284 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4285 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4290 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4291 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4295 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4293 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4298 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4299 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4302 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4303 FIN_WAIT1 -
[root@web ~]# netstat -anp | grep 182.131.134.162
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4284 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4285 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4290 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4291 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4295 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4293 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4298 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4299 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4302 FIN_WAIT1 -
tcp 0 85 xxx.xx.xxx.xx:22 182.131.134.162:4303 FIN_WAIT1 -
[root@web ~]#
[root@web ~]#
[root@web ~]#
[root@web ~]#

过一会再看一下:
[root@web ~]# netstat -anp | grep 182.131.134.162
[root@web ~]#

终于搞定了。ssh登录和sftp下文件都正常了。

再次列出关键命令,用于禁止某个ip地址访问服务器:

iptables -I INPUT -s 182.131.134.162 -j DROP

更多相关的做法参见

iptables封ip段linux http://profile.8j.com/question/113/40/840.htm

转载本文请注明出处:http://codingstandards.iteye.com/blog/1299936


Tags:
分享至:
最新图文资讯
1 2 3 4 5 6
验证码:点击我更换图片 理智评论文明上网,拒绝恶意谩骂 用户名:
关于我们 - 联系我们 - 广告服务 - 友情链接 - 网站地图 - 版权声明 - 发展历史