많은 UFW BLOCK은 수많은 포트와 IP 주소에 근접해 위치합니다.

많은 UFW BLOCK은 수많은 포트와 IP 주소에 근접해 위치합니다.

내 시스템 로그는 여러 소스에서 발생한 특정 유형의 수많은 공격으로 가득 차 있습니다. 검색 기능에서 다른 모든 참고 자료를 살펴봤지만 그 중 TCP를 다룬 내용은 하나도 없었고 다양한 출처에서 나온 내용도 없었습니다.

Feb 16 02:44:47 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=198.235.24.14 DST=149.28.234.41 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54321 PROTO=TCP SPT=52988 DPT=8140 WINDOW=65535 RES=0x00 SYN URGP=0 
Feb 16 02:44:50 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=74.207.237.114 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=35553 PROTO=TCP SPT=51489 DPT=8009 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb 16 02:44:50 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=124.160.154.8 DST=149.28.234.41 LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=12117 DF PROTO=TCP SPT=51479 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 
Feb 16 02:44:53 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=192.241.229.19 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=52160 DPT=5357 WINDOW=65535 RES=0x00 SYN URGP=0 
Feb 16 02:45:06 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=132.232.100.64 DST=149.28.234.41 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=63737 DF PROTO=TCP SPT=41758 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 
Feb 16 02:45:46 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=205.210.31.164 DST=149.28.234.41 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=24095 PROTO=TCP SPT=53070 DPT=1026 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb 16 02:46:05 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=167.248.133.169 DST=149.28.234.41 LEN=30 TOS=0x00 PREC=0x00 TTL=41 ID=3609 PROTO=UDP SPT=65397 DPT=5632 LEN=10 
Feb 16 02:46:08 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=183.136.225.32 DST=149.28.234.41 LEN=44 TOS=0x00 PREC=0x00 TTL=107 ID=0 PROTO=TCP SPT=10183 DPT=50777 WINDOW=29200 RES=0x00 SYN URGP=0 
Feb 16 02:46:11 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=183.136.225.42 DST=149.28.234.41 LEN=52 TOS=0x00 PREC=0x00 TTL=107 ID=18631 PROTO=UDP SPT=62177 DPT=520 LEN=32 
Feb 16 02:46:18 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=71.6.233.243 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=2086 DPT=2086 WINDOW=65535 RES=0x00 SYN URGP=0 
Feb 16 02:46:24 server.domain.com kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:04:bf:08:21:fe:00:04:bf:08:21:08:00 SRC=103.161.173.176 DST=149.28.234.41 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=11607 PROTO=TCP SPT=45846 DPT=5060 WINDOW=1024 RES=0x00 SYN URGP=0 

무해하거나 적어도 양성으로 보이지만 여전히 문제를 해결하고 싶습니다.

이렇게 다양한 소스로부터의 공격을 막을 수 있는 방법이 있습니까? 매번 새로운 IP와 포트.

ufw를 사용하여 패킷 서명을 식별한 다음 삭제할 수 있습니까? 심층 패킷 검사 또는 최소한 헤더 읽기?

아무것도 하지 않는 것 외에 이러한 문제를 해결하는 가장 좋은 방법은 무엇입니까?

고쳐 쓰다:

방화벽 규칙.

~$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N f2b-sshd
-N f2b-ufw
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -j f2b-ufw
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 465 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -s 218.92.0.52/32 -j DROP
-A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 995 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 53 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

관련 정보