Port-Forwarding
隨機數據包正常嗎?
大約一個月前,在我的一台伺服器上,我開始接收來自世界各地 IP 的隨機數據包。所以我做了一件聰明的事,不再推遲安裝 IDS。這個 IDS 是一個帶有 Snort 和 SnortSam 的 ClearOS 網關。我啟用了它和所有的分類。“網路掃描”分類在那裡,這意味著它應該檢測埠掃描等
一共打開了4個埠,其中兩個轉發到我說的伺服器。這些埠是 3724 和 8085,因此在埠掃描中不容易檢測到它們。
但是檢查該伺服器的一些日誌,我發現攻擊正在恢復。我找到了這個
... Accepting connection from '75.166.155.122' [Auth] got unknown packet from '75.166.155.122' Accepting connection from '98.164.154.93' [Auth] got unknown packet from '98.164.154.93' Ping MySQL to keep connection alive Accepting connection from '70.241.195.129' [Auth] got unknown packet from '70.241.195.129' Accepting connection from '67.182.229.169' [Auth] got unknown packet from '67.182.229.169' Accepting connection from '69.137.140.38' [Auth] got unknown packet from '69.137.140.38' Accepting connection from '76.31.72.55' [Auth] got unknown packet from '76.31.72.55' Accepting connection from '97.88.139.39' [Auth] got unknown packet from '97.88.139.39' Accepting connection from '173.35.62.112' [Auth] got unknown packet from '173.35.62.112' Accepting connection from '187.15.10.73' [Auth] got unknown packet from '187.15.10.73' Accepting connection from '66.66.94.124' [Auth] got unknown packet from '66.66.94.124' Accepting connection from '75.159.219.124' [Auth] got unknown packet from '75.159.219.124' Accepting connection from '99.102.100.82' [Auth] got unknown packet from '99.102.100.82' Accepting connection from '24.128.240.45' [Auth] got unknown packet from '24.128.240.45' Accepting connection from '99.231.7.39' [Auth] got unknown packet from '99.231.7.39' Accepting connection from '206.255.79.56' [Auth] got unknown packet from '206.255.79.56' Accepting connection from '68.97.106.235' [Auth] got unknown packet from '68.97.106.235' Accepting connection from '69.134.67.251' [Auth] got unknown packet from '69.134.67.251' Accepting connection from '63.228.138.186' [Auth] got unknown packet from '63.228.138.186' Accepting connection from '184.39.146.193' [Auth] got unknown packet from '184.39.146.193' Accepting connection from '69.171.161.102' [Auth] got unknown packet from '69.171.161.102' Accepting connection from '76.0.47.228' [Auth] got unknown packet from '76.0.47.228' Ping MySQL to keep connection alive Accepting connection from '126.112.201.14' [Auth] got unknown packet from '126.112.201.14' Ping MySQL to keep connection alive
現在這讓我害怕。為什麼 Snort 沒有檢測到這一點?他們是如何找到這個特定埠的?
更重要的是,這些數據包通常包含什麼?這是我應該擔心的事情嗎?我怎樣才能阻止這個?
與大多數 IDS 一樣,Snort 是一項非常複雜的技術,需要付出大量努力才能開始產生有用的結果。調整既需要花費大量時間分析警報,也需要了解可用的服務,以便確定哪些規則集需要啟用,哪些需要禁用。知道您對兩項服務特別感興趣確實有助於縮小可能對您有用的範圍。
查看官方 SourceFire 規則以及第 3 方EmergingThreats,我發現的唯一警報是匹配魔獸世界登錄成功和失敗。我將首先在SourceFire 規則站點中搜尋您的服務。您還可以從閱讀手冊中的 sfPortscan 預處理器中受益。
不幸的是,我不太了解 ClearOS 以及它們如何包裝應用程序的管理。但是,一旦您了解了冗長的內容,snort 應用程序實際上是相當容易閱讀的。