Port-Forwarding

隨機數據包正常嗎?

  • January 11, 2011

大約一個月前,在我的一台伺服器上,我開始接收來自世界各地 IP 的隨機數據包。所以我做了一件聰明的事,不再推遲安裝 IDS。這個 IDS 是一個帶有 Snort 和 SnortSam 的 ClearOS 網關。我啟用了它和所有的分類。“網路掃描”分類在那裡,這意味著它應該檢測埠掃描等

一共打開了4個埠,其中兩個轉發到我說的伺服器。這些埠是 3724 和 8085,因此在埠掃描中不容易檢測到它們。

但是檢查該伺服器的一些日誌,我發現攻擊正在恢復。我找到了這個

...
Accepting connection from '75.166.155.122'
[Auth] got unknown packet from '75.166.155.122'
Accepting connection from '98.164.154.93'
[Auth] got unknown packet from '98.164.154.93'
Ping MySQL to keep connection alive
Accepting connection from '70.241.195.129'
[Auth] got unknown packet from '70.241.195.129'
Accepting connection from '67.182.229.169'
[Auth] got unknown packet from '67.182.229.169'
Accepting connection from '69.137.140.38'
[Auth] got unknown packet from '69.137.140.38'
Accepting connection from '76.31.72.55'
[Auth] got unknown packet from '76.31.72.55'
Accepting connection from '97.88.139.39'
[Auth] got unknown packet from '97.88.139.39'
Accepting connection from '173.35.62.112'
[Auth] got unknown packet from '173.35.62.112'
Accepting connection from '187.15.10.73'
[Auth] got unknown packet from '187.15.10.73'
Accepting connection from '66.66.94.124'
[Auth] got unknown packet from '66.66.94.124'
Accepting connection from '75.159.219.124'
[Auth] got unknown packet from '75.159.219.124'
Accepting connection from '99.102.100.82'
[Auth] got unknown packet from '99.102.100.82'
Accepting connection from '24.128.240.45'
[Auth] got unknown packet from '24.128.240.45'
Accepting connection from '99.231.7.39'
[Auth] got unknown packet from '99.231.7.39'
Accepting connection from '206.255.79.56'
[Auth] got unknown packet from '206.255.79.56'
Accepting connection from '68.97.106.235'
[Auth] got unknown packet from '68.97.106.235'
Accepting connection from '69.134.67.251'
[Auth] got unknown packet from '69.134.67.251'
Accepting connection from '63.228.138.186'
[Auth] got unknown packet from '63.228.138.186'
Accepting connection from '184.39.146.193'
[Auth] got unknown packet from '184.39.146.193'
Accepting connection from '69.171.161.102'
[Auth] got unknown packet from '69.171.161.102'
Accepting connection from '76.0.47.228'
[Auth] got unknown packet from '76.0.47.228'
Ping MySQL to keep connection alive
Accepting connection from '126.112.201.14'
[Auth] got unknown packet from '126.112.201.14'
Ping MySQL to keep connection alive

現在這讓我害怕。為什麼 Snort 沒有檢測到這一點?他們是如何找到這個特定埠的?

更重要的是,這些數據包通常包含什麼?這是我應該擔心的事情嗎?我怎樣才能阻止這個?

與大多數 IDS 一樣,Snort 是一項非常複雜的技術,需要付出大量努力才能開始產生有用的結果。調整既需要花費大量時間分析警報,也需要了解可用的服務,以便確定哪些規則集需要啟用,哪些需要禁用。知道您對兩項服務特別感興趣確實有助於縮小可能對您有用的範圍。

查看官方 SourceFire 規則以及第 3 方EmergingThreats,我發現的唯一警報是匹配魔獸世界登錄成功和失敗。我將首先在SourceFire 規則站點中搜尋您的服務。您還可以從閱讀手冊中的 sfPortscan 預處理器中受益。

不幸的是,我不太了解 ClearOS 以及它們如何包裝應用程序的管理。但是,一旦您了解了冗長的內容,snort 應用程序實際上是相當容易閱讀的。

引用自:https://serverfault.com/questions/220924