被小鬼子吓一跳

Neil

晚上在服务器上干活，头昏脑胀之际，netstat -an | grep ESTA 了一下，猛然间看见除了自己的ip之外还有一个ip与ssh相连（ESTA），当时没多想,w看了一下，没见别人，直接fw干掉这个ip。随后一想，呵呵，想起来了，不过是ssh探测而已，害我虚惊一场。随后去看auth.log, 果然如此

1. 
   
2. Feb 21 03:06:10 mail sshd[65885]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
3. Feb 21 03:06:13 mail sshd[65887]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
4. Feb 21 03:06:16 mail sshd[65889]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
5. Feb 21 03:06:19 mail sshd[65891]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
6. Feb 21 03:06:22 mail sshd[65893]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
7. Feb 21 03:06:25 mail sshd[65895]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
8. Feb 21 03:06:28 mail sshd[65897]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
9. Feb 21 03:06:31 mail sshd[65899]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
   
10. Feb 21 03:06:33 mail sshd[65901]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
11. Feb 21 03:06:36 mail sshd[65903]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
12. Feb 21 03:06:39 mail sshd[65905]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
13. Feb 21 03:06:42 mail sshd[65907]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
14. Feb 21 03:06:45 mail sshd[65909]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
15. Feb 21 03:06:48 mail sshd[65911]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
16. Feb 21 03:06:51 mail sshd[65913]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
17. Feb 21 03:06:54 mail sshd[65915]: Illegal user admin from 210.167.133.6  
    
18. Feb 21 03:06:54 mail sshd[65915]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
19. Feb 21 03:06:57 mail sshd[65917]: Illegal user admin from 210.167.133.6   
    
20. Feb 21 03:06:57 mail sshd[65917]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
21. Feb 21 03:06:59 mail sshd[65919]: Illegal user admin from 210.167.133.6   
    
22. Feb 21 03:06:59 mail sshd[65919]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
23. Feb 21 03:07:02 mail sshd[65921]: Illegal user admin from 210.167.133.6   
    
24. Feb 21 03:07:02 mail sshd[65921]: Address 210.167.133.6 maps to www.sky-media.jp, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    
25. Feb 21 03:07:05 mail sshd[65923]: Illegal user admin from 210.167.133.6
    

复制代码

本来想想看看就算了，结果看见是 JP，于是

1. 
   
2. mail# whois 210.167.133.6
   
3. ...
   
4. ...
   
5. inetnum:      210.160.0.0 - 210.175.255.255
   
6. netname:      JPNIC-NET-JP
   
7. descr:        Japan Network Information Center
   
8. country:      JP
   
9. admin-c:      JNIC1-AP
   
10. tech-c:       JNIC1-AP
    
11. remarks:      JPNIC Allocation Block
    
12. remarks:      Authoritative information regarding assignments and
    
13. remarks:      allocations made from within this block can also be
    
14. remarks:      queried at whois.nic.ad.jp. To obtain an English
    
15. remarks:      output query whois -h whois.nic.ad.jp x.x.x.x/e
    
16. mnt-by:       MAINT-JPNIC
    
17. changed:      apnic-ftp@nic.ad.jp 19991208
    
18. status:       ALLOCATED PORTABLE
    
19. source:       APNIC
    
20. 
    
21. role:         Japan Network Information Center
    
22. address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
    
23. address:      Chiyoda-ku, Tokyo 101-0047, Japan
    
24. country:      JP
    
25. phone:        +81-3-5297-2311
    
26. fax-no:       +81-3-5297-2312
    
27. e-mail:       hostmaster@nic.ad.jp
    
28. admin-c:      JI13-AP
    
29. tech-c:       JE53-AP
    
30. nic-hdl:      JNIC1-AP
    
31. mnt-by:       MAINT-JPNIC
    
32. changed:      hm-changed@apnic.net 20041222
    
33. changed:      hm-changed@apnic.net 20050324
    
34. changed:      ip-apnic@nic.ad.jp 20051027
    
35. source:       APNIC
    
36. 
    
37. inetnum:      210.167.133.0 - 210.167.133.255
    
38. netname:      MEDIA-ZOO
    
39. descr:        media-zoo.,inc
    
40. country:      JP
    
41. admin-c:      NS4220JP
    
42. tech-c:       NS4220JP
    
43. remarks:      This information has been partially mirrored by APNIC from
    
44. remarks:      JPNIC. To obtain more specific information, please use the
    
45. remarks:      JPNIC WHOIS Gateway at
    
46. remarks:      http://www.nic.ad.jp/en/db/whois/en-gateway.html or
    
47. remarks:      whois.nic.ad.jp for WHOIS client. (The WHOIS client
    
48. remarks:      defaults to Japanese output, use the /e switch for English
    
49. remarks:      output)
    
50. changed:      apnic-ftp@nic.ad.jp 20050825
    
51. changed:      apnic-ftp@nic.ad.jp 20051219
    
52. source:       JPNIC
    

复制代码

我刚才干活已经头昏脑胀了，没时间精力和他们折腾，别的我不会，只能屏蔽掉，于是乎

1. 
   
2. 09800      0         0 deny ip from 210.160.0.0/16 to me
   
3. 09801      0         0 deny ip from 210.161.0.0/16 to me
   
4. 09802      0         0 deny ip from 210.162.0.0/16 to me
   
5. 09803      0         0 deny ip from 210.163.0.0/16 to me
   
6. 09804      0         0 deny ip from 210.164.0.0/16 to me
   
7. 09805      0         0 deny ip from 210.165.0.0/16 to me
   
8. 09806      0         0 deny ip from 210.166.0.0/16 to me
   
9. 09807      0         0 deny ip from 210.167.0.0/16 to me
   
10. 09808      0         0 deny ip from 210.168.0.0/16 to me
    
11. 09809      0         0 deny ip from 210.169.0.0/16 to me
    
12. 09810      0         0 deny ip from 210.170.0.0/16 to me
    
13. 09811      0         0 deny ip from 210.171.0.0/16 to me
    
14. 09812      0         0 deny ip from 210.172.0.0/16 to me
    
15. 09813      0         0 deny ip from 210.173.0.0/16 to me
    
16. 09814      0         0 deny ip from 210.174.0.0/16 to me
    
17. 09815      0         0 deny ip from 210.175.0.0/16 to me
    

复制代码

懒得算掩码了，就加了16条策略
收工，睡觉

btw:准备下机器前，又发现一个从吉林网通段过来的ssh探测连接，唉，无语，也懒得屏蔽他了，这些小孩子，拿个scanner就当宝贝，不能急了。再说了，这样搞自己国家的服务器，能有什么出息。
汗，不说了。

Ericzhao82

ssh嗅探，我这边每天都有，但从日志上看韩国、印度、墨西哥、新西兰、国内各城市，哪里都有。你被动防御的话，你能屏蔽过来嘛。

langue

加十六条……其实移四位就可以了。规则太多，到时候速度会慢。
210.167.133.0/12   即可。多余的位是被忽略掉的。

Neil

原帖由 Ericzhao82 于 2007-2-21 08:05 发表
ssh嗅探，我这边每天都有，但从日志上看韩国、印度、墨西哥、新西兰、国内各城市，哪里都有。你被动防御的话，你能屏蔽过来嘛。

嘿嘿，要不是看到是小鬼子的IP，我才懒得去屏蔽呢，呵呵

Neil

原帖由 langue 于 2007-2-21 12:16 发表
加十六条……其实移四位就可以了。规则太多，到时候速度会慢。
210.167.133.0/12   即可。多余的位是被忽略掉的。

谢谢，当时急着睡觉，怕算得麻烦，没仔细想，刚才再一看，不多不少正好一个段，呵呵，这就去改策略，哈