服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 随机数据包是否正常?
Intereting Posts
Active Directory复制devise Apache密码短语有时候工作 Google Apps的自定义url 使用正则expression式对一个特定的文件进行别名时,Nginx响应的麻烦 在linux上无主的监听套接字 在Ubuntu 14.04上删除过期的PHP会话文件 Apache Kafka 0.8.1.1清理关机不起作用 收集和集中来自许多服务器的信息,有点像Puppet的facter VPN访问域控制器? iptables:RELATED和ESTABLISHED状态之间的区别? 思科SPA504G手机CDP / LLDP问题 如何防止文本/事件stream的stream被渴望的web代理缓冲? 如何使用Fedora19中的KVM工作桥接networking 硬重启导致MySQL复制中断 SBS2003监测和报告服务可以在没有Exchange的情况下工作吗?

随机数据包是否正常?

大约一个月前,在我的一台服务器上,我开始接收来自世界各地的IP地址的随机数据包。 所以我做了这个聪明的事情,并停止推迟安装IDS。 这个IDS是Snort和SnortSam附带的ClearOS网关。 我使它和所有的分类。 “networking扫描”分类就在那里,这意味着它应该检测端口扫描等

共有4个端口打开,其中两个转发到我正在谈论的服务器。 这些端口是3724和8085,所以在端口扫描中不易被检测到。

然而,检查这个服务器的一些日志,我发现攻击正在恢复。 我find了这个 

... Accepting connection from '75.166.155.122' [Auth] got unknown packet from '75.166.155.122' Accepting connection from '98.164.154.93' [Auth] got unknown packet from '98.164.154.93' Ping MySQL to keep connection alive Accepting connection from '70.241.195.129' [Auth] got unknown packet from '70.241.195.129' Accepting connection from '67.182.229.169' [Auth] got unknown packet from '67.182.229.169' Accepting connection from '69.137.140.38' [Auth] got unknown packet from '69.137.140.38' Accepting connection from '76.31.72.55' [Auth] got unknown packet from '76.31.72.55' Accepting connection from '97.88.139.39' [Auth] got unknown packet from '97.88.139.39' Accepting connection from '173.35.62.112' [Auth] got unknown packet from '173.35.62.112' Accepting connection from '187.15.10.73' [Auth] got unknown packet from '187.15.10.73' Accepting connection from '66.66.94.124' [Auth] got unknown packet from '66.66.94.124' Accepting connection from '75.159.219.124' [Auth] got unknown packet from '75.159.219.124' Accepting connection from '99.102.100.82' [Auth] got unknown packet from '99.102.100.82' Accepting connection from '24.128.240.45' [Auth] got unknown packet from '24.128.240.45' Accepting connection from '99.231.7.39' [Auth] got unknown packet from '99.231.7.39' Accepting connection from '206.255.79.56' [Auth] got unknown packet from '206.255.79.56' Accepting connection from '68.97.106.235' [Auth] got unknown packet from '68.97.106.235' Accepting connection from '69.134.67.251' [Auth] got unknown packet from '69.134.67.251' Accepting connection from '63.228.138.186' [Auth] got unknown packet from '63.228.138.186' Accepting connection from '184.39.146.193' [Auth] got unknown packet from '184.39.146.193' Accepting connection from '69.171.161.102' [Auth] got unknown packet from '69.171.161.102' Accepting connection from '76.0.47.228' [Auth] got unknown packet from '76.0.47.228' Ping MySQL to keep connection alive Accepting connection from '126.112.201.14' [Auth] got unknown packet from '126.112.201.14' Ping MySQL to keep connection alive

现在吓到我了。 Snort为什么不检测这个? 他们怎么能find这个特定的端口?

更重要的是,这些数据包通常包含什么? 这是我应该担心的吗? 我怎样才能阻止呢?

和大多数IDS一样,Snort是一个非常复杂的技术,需要大量的努力才能开始产生有用的结果。 调整既需要花费大量的时间来分析警报,也需要您提供哪些服务,以便您可以确定需要启用哪些规则集以及哪些规则集需要禁用。 知道你对两项服务感兴趣,特别是有助于缩小可能对你有用的东西。

通过官方的SourceFire规则以及第三方的EmergingThreats ,我发现唯一的警报是匹配魔兽世界login成功和失败。 我将开始searchSourceFire规则网站为您的服务。 您也可以通过阅读手册中的sfPortscan预处理器获益。

不幸的是,我对ClearOS以及它们如何封装应用程序的pipe理知之甚less。 然而,snort应用程序实际上是一个相当简单的阅读,一旦你通过冗长。