On 25 December 2016 13:28:36 EET, "Ionel Mugurel Ciobîcă" <i.m.ciob...@gmail.com> wrote: > >Crăciun fericit, tuturor. > > >Pot face ceva despre port scanurile astea: > >| root@romania:/etc/yate# zgrep fSrpauxy /var/log/syslog* >| /var/log/syslog:Dec 25 07:10:31 romania scanlogd: >110.249.212.46:55555 to 192.168.1.3 ports 2455, 771, 8090, 44818, 1911, >4911, ..., fSrpauxy, TOS 00, TTL 239 @07:10:31 >| /var/log/syslog.1:Dec 24 15:26:56 romania scanlogd: 37.48.65.171 to >192.168.1.3 ports 80, 443, 81, 82, 83, 84, ..., fSrpauxy, TOS 00, TTL >119 @15:26:47 >| /var/log/syslog.1:Dec 24 22:17:31 romania scanlogd: >94.102.56.181:53885 to 192.168.1.3 ports 31443, 34443, 1443, 8443, >40443, ..., fSrpauxy, TOS 00, TTL 242 @22:11:57 >| /var/log/syslog.2.gz:Dec 24 05:18:01 romania scanlogd: >222.186.31.200:48408 to 192.168.1.3 ports 4500, 1100, 4600, 1818, 3900, >1300, 2700, ..., fSrpauxy, TOS 00 @03:08:17 >| /var/log/syslog.7.gz:Dec 18 17:54:14 romania scanlogd: 46.38.235.169 >to 192.168.1.3 ports 80, 8080, 8090, 9090, 8081, 8082, 8083, 8180, ..., >fSrpauxy, TOS 00, TTL 52 @17:54:13 >| /var/log/syslog.7.gz:Dec 18 19:15:29 romania scanlogd: 85.17.15.156 >to 192.168.1.3 ports 443, 445, 113, 111, 22, 80, ..., fSrpauxy, TOS 00 >@19:15:29 >| /var/log/syslog.8.gz:Dec 17 09:08:37 romania scanlogd: 185.40.4.169 >to 192.168.1.3 ports 4337, 800, 9999, 8383, 9024, 8989, 9091, ..., >fSrpauxy, TOS 00, TTL 241 @07:28:30 >| /var/log/syslog.8.gz:Dec 17 12:23:01 romania scanlogd: 185.40.4.169 >to 192.168.1.3 ports 9002, 40005, 8086, 91, 4001, 82, 888, 8481, ..., >fSrpauxy, TOS 00, TTL 241 @10:25:00 >| /var/log/syslog.8.gz:Dec 17 23:23:13 romania scanlogd: >80.82.65.90:53618 to 192.168.1.3 ports 9097, 9595, 9081, 9179, 9035, >9106, ..., fSrpauxy, TOS 00, TTL 247 @23:18:16 > >sau nu ar trebui să fiu îngrijorat? > >Am mutat portul ssh de pe 22 undeva mai sus (de ceva vreme). Oare asta >caută? Pot opri scanurile astea cumva (dacă ar trebui să fiu >îngrijorat)? > >Mersi, > Mugurel >_______________________________________________ >RLUG mailing list >RLUG@lists.lug.ro >http://lists.lug.ro/mailman/listinfo/rlug
Nu poti opri fiindca le fac altii. Poti insa securiza portul 22. Evident ideal ar fi sa permiti conectarea numai de la adrese cunoscute. Daca nu poti face asta, exista iptables match recent care e minunat in acest context, sau alternativ port knocking. Nu muta daemonul mai sus de portul 1024 ca risti sa dai in alte belele. Daca tii ca din exterior sa se vada un port > 1024, fa un redirect local cu iptables. Iar daca vrei sa faci viata mai grea alora de scaneaza, aranjeaza un -j TARPIT sau -j DROP temporar ca reactie cind te pipaie (dar tb sa reactionezi in perioada respectiva, nu dupa ... si sa ai grija sa whitelistezi partenerii cunoscuti ca sa nu devii victima unui atac cu IPuri spoofate). _______________________________________________ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
