- 论坛徽章:
- 0
|
晚上在服务器上干活,头昏脑胀之际,netstat -an | grep ESTA 了一下,猛然间看见除了自己的ip之外还有一个ip与ssh相连(ESTA),当时没多想,w看了一下,没见别人,直接fw干掉这个ip。随后一想,呵呵,想起来了,不过是ssh探测而已,害我虚惊一场。随后去看auth.log, 果然如此
- Feb 21 03:06:10 mail sshd[65885]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:13 mail sshd[65887]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:16 mail sshd[65889]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:19 mail sshd[65891]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:22 mail sshd[65893]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:25 mail sshd[65895]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:28 mail sshd[65897]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:31 mail sshd[65899]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:33 mail sshd[65901]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:36 mail sshd[65903]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:39 mail sshd[65905]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:42 mail sshd[65907]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:45 mail sshd[65909]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:48 mail sshd[65911]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:51 mail sshd[65913]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:54 mail sshd[65915]: Illegal user admin from 210.167.133.6
- Feb 21 03:06:54 mail sshd[65915]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:57 mail sshd[65917]: Illegal user admin from 210.167.133.6
- Feb 21 03:06:57 mail sshd[65917]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:06:59 mail sshd[65919]: Illegal user admin from 210.167.133.6
- Feb 21 03:06:59 mail sshd[65919]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:07:02 mail sshd[65921]: Illegal user admin from 210.167.133.6
- Feb 21 03:07:02 mail sshd[65921]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
- Feb 21 03:07:05 mail sshd[65923]: Illegal user admin from 210.167.133.6
复制代码
本来想想看看就算了,结果看见是 JP,于是
- mail# whois 210.167.133.6
- ...
- ...
- inetnum: 210.160.0.0 - 210.175.255.255
- netname: JPNIC-NET-JP
- descr: Japan Network Information Center
- country: JP
- admin-c: JNIC1-AP
- tech-c: JNIC1-AP
- remarks: JPNIC Allocation Block
- remarks: Authoritative information regarding assignments and
- remarks: allocations made from within this block can also be
- remarks: queried at whois.nic.ad.jp. To obtain an English
- remarks: output query whois -h whois.nic.ad.jp x.x.x.x/e
- mnt-by: MAINT-JPNIC
- changed: apnic-ftp@nic.ad.jp 19991208
- status: ALLOCATED PORTABLE
- source: APNIC
- role: Japan Network Information Center
- address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
- address: Chiyoda-ku, Tokyo 101-0047, Japan
- country: JP
- phone: +81-3-5297-2311
- fax-no: +81-3-5297-2312
- e-mail: hostmaster@nic.ad.jp
- admin-c: JI13-AP
- tech-c: JE53-AP
- nic-hdl: JNIC1-AP
- mnt-by: MAINT-JPNIC
- changed: hm-changed@apnic.net 20041222
- changed: hm-changed@apnic.net 20050324
- changed: ip-apnic@nic.ad.jp 20051027
- source: APNIC
- inetnum: 210.167.133.0 - 210.167.133.255
- netname: MEDIA-ZOO
- descr: media-zoo.,inc
- country: JP
- admin-c: NS4220JP
- tech-c: NS4220JP
- remarks: This information has been partially mirrored by APNIC from
- remarks: JPNIC. To obtain more specific information, please use the
- remarks: JPNIC WHOIS Gateway at
- remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or
- remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client
- remarks: defaults to Japanese output, use the /e switch for English
- remarks: output)
- changed: apnic-ftp@nic.ad.jp 20050825
- changed: apnic-ftp@nic.ad.jp 20051219
- source: JPNIC
复制代码
我刚才干活已经头昏脑胀了,没时间精力和他们折腾,别的我不会,只能屏蔽掉,于是乎
- 09800 0 0 deny ip from 210.160.0.0/16 to me
- 09801 0 0 deny ip from 210.161.0.0/16 to me
- 09802 0 0 deny ip from 210.162.0.0/16 to me
- 09803 0 0 deny ip from 210.163.0.0/16 to me
- 09804 0 0 deny ip from 210.164.0.0/16 to me
- 09805 0 0 deny ip from 210.165.0.0/16 to me
- 09806 0 0 deny ip from 210.166.0.0/16 to me
- 09807 0 0 deny ip from 210.167.0.0/16 to me
- 09808 0 0 deny ip from 210.168.0.0/16 to me
- 09809 0 0 deny ip from 210.169.0.0/16 to me
- 09810 0 0 deny ip from 210.170.0.0/16 to me
- 09811 0 0 deny ip from 210.171.0.0/16 to me
- 09812 0 0 deny ip from 210.172.0.0/16 to me
- 09813 0 0 deny ip from 210.173.0.0/16 to me
- 09814 0 0 deny ip from 210.174.0.0/16 to me
- 09815 0 0 deny ip from 210.175.0.0/16 to me
复制代码
懒得算掩码了,就加了16条策略
收工,睡觉
btw:准备下机器前,又发现一个从吉林网通段过来的ssh探测连接,唉,无语,也懒得屏蔽他了,这些小孩子,拿个scanner就当宝贝,不能急了。再说了,这样搞自己国家的服务器,能有什么出息。
汗,不说了。 |
|