UJP - 技術情報2 : ヤマハのRTX1100で中国からの不正なVPNをブロックする YAMAHA/RTX/vpndrop

Table of contents

ヤマハのRTX1100で中国からの不正なVPNをブロックする

ヤマハのRTX1100で中国からの不正なVPNをブロックする

はじめに

　ヤマハのVPNルータRTX1100が再起動していたので，原因を調べたらインターネット側からの攻撃があるということだったので調べて見る．

syslogからの調査

　VPNはPPTPを使いっていて，GREで1723ポートを使っているので，そこのへのアクセスしてきたログを調べて見る．

pp1# show log|grep 1723
2015/10/16 04:12:41: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723
2015/10/16 04:12:41: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:52572 > 192.168.0.1:1723
2015/10/16 04:12:42: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:52572 > 192.168.0.1:1723
2015/10/16 04:12:42: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:52572 > 192.168.0.1:1723
2015/10/16 04:12:44: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723
2015/10/16 04:12:44: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723
2015/10/16 04:12:45: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723
2015/10/16 04:12:45: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723
2015/10/16 04:12:45: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723
2015/10/16 09:26:34: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22206 > 192.168.0.1:1723
2015/10/16 09:26:37: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:39988 > 192.168.0.1:1723
2015/10/16 09:26:37: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:39988 > 192.168.0.1:1723
2015/10/16 09:26:38: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:39988 > 192.168.0.1:1723
2015/10/16 14:40:23: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723
2015/10/16 14:40:24: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723
2015/10/16 14:40:24: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723
2015/10/16 14:40:24: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723
2015/10/16 14:40:25: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723
2015/10/16 14:40:25: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723
2015/10/17 01:08:17: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723
2015/10/17 01:08:19: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:25079 > 192.168.0.1:1723
2015/10/17 01:08:20: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:25079 > 192.168.0.1:1723
2015/10/17 01:08:20: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:25079 > 192.168.0.1:1723
2015/10/17 06:22:03: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723
2015/10/17 06:22:04: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:19783 > 192.168.0.1:1723
2015/10/17 06:22:05: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:19783 > 192.168.0.1:1723
2015/10/17 06:22:05: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:19783 > 192.168.0.1:1723
2015/10/17 11:35:50: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723
2015/10/17 11:35:50: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723
2015/10/17 11:35:50: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723
2015/10/17 11:35:51: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723
2015/10/17 11:35:51: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723
2015/10/17 11:35:51: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723
2015/10/17 16:49:52: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723
2015/10/17 16:49:53: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723
2015/10/17 16:49:53: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723
2015/10/17 16:49:53: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723
2015/10/17 16:49:54: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723
2015/10/17 16:49:54: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723
pp1#

　183.60.48.25と113.108.21.16からのアクセスがあることがわかった．

RTXでフィルタ設定をする

　不正アクセスがあったアドレスをリジェクト（拒否）するフィルタを作成．

pp1# ip filter 2510 reject-log 183.60.48.25 * * * *
pp1# ip filter 2511 reject-log 113.108.21.16 * * * *
pp1#

　ちゃんとリジェクトされたか確認するために，ログを残すようにreject-logとする．　そして，フィルタをセットする．

pp1# pp select 1
pp1# ip pp secure filter in 2510 2511 2000 2001 2098 2002 2003 2004 2005 2006 2007 2008 2009 2010 2099 dynamic 2100 2101 2102 2103 2104 2105 2106
pp1#

　これでしらばく様子を見る．

数日経過してRejectedを確認

　タイトルの徹ですが，リジェクトを確認しました．これでフィルタが動作していることが確認できました．

> show log reverse|grep 1723
2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.21:1723
2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.23:1723
2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.19:1723
2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.16:1723
2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.20:1723
2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.18:1723
2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 192.168.0.1:1723
2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.23:1723
2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.21:1723
2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.19:1723
2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.18:1723
2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.20:1723
2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.22:1723
2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723
2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.21:1723
2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.23:1723
2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.19:1723
2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.16:1723
2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.18:1723
2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.20:1723
2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 192.168.0.1:1723
2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.20:1723
2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.16:1723
2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.18:1723
2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 192.168.0.1:1723
2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.21:1723
2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.19:1723
2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.23:1723
2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.21:1723
2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.19:1723
2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.20:1723
2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723
2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.16:1723
2015/10/20 07:43:58: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.19:1723
2015/10/20 07:43:58: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 192.168.0.1:1723
>

　これを見ていると，普通にIPアドレスの末尾を連番で接続してきているのがわかります．

RTXへの1723ポートへの接続を過去ログをsyslogから調べてみる

　RTX1100のログはsyslogサーバへ転送しているので，そのログからPPTPによるVPN(1723)へ接続してきているIPアドレスを調べる．

ujp:log vpnserver$ grep ":1723" rtx.log|head
May 14 14:01:18 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 180.153.113.141:22207 > 192.168.0.1:1723
May 14 14:01:19 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 183.60.48.25:27519 > 192.168.0.1:1723
May 15 05:10:21 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 112.216.163.130:6000 > 192.168.0.1:1723
May 15 16:42:05 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 218.17.160.22:42861 > 192.168.0.1:1723
May 16 14:01:23 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 180.153.113.141:22208 > 192.168.0.1:1723
May 16 14:01:23 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 183.60.48.25:44856 > 192.168.0.1:1723
May 16 17:32:57 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 112.216.163.130:6000 > 192.168.0.1:1723
May 17 21:32:36 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 114.112.90.54:35337 > 192.168.0.1:1723
May 17 21:32:37 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 114.112.90.54:35337 > 192.168.0.1:1723
May 17 21:32:38 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 114.112.90.54:35337 > 192.168.0.1:1723
ujp:log vpnserver$

　source IPアドレスを取り出すために，次のようにコマンドを設定．

ujp:log vpnserver$ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sort|uniq -c|sort -r
 855 183.60.48.25
 258 113.108.21.16
 223 91.214.71.176
 209 180.153.113.141
 164 37.46.105.40
 130 218.77.79.38
 121 61.160.224.129
  91 61.240.144.66
  78 61.240.144.65
  67 61.240.144.64
  54 61.240.144.67
  50 66.240.192.138
  38 42.120.142.221
  36 71.6.167.142
  36 71.6.135.131
  33 198.20.69.98
  32 92.247.120.50
  32 66.240.236.119
  29 71.6.165.200
  27 85.25.103.50
  27 14.17.35.181
  25 198.20.70.114
  24 42.156.250.110
  22 42.156.250.112
  22 42.156.250.111
  22 37.46.105.77
  21 42.120.142.220
  20 42.156.250.115
  19 42.120.142.223
  18 42.156.250.116
  18 42.156.250.113
  17 42.156.250.119
  15 160.249.228.226
  13 91.192.92.18
  13 160.249.248.137
  12 42.120.142.222
  10 42.156.250.117
   9 112.216.163.130
   8 93.120.27.62
   7 42.156.250.118
   7 42.156.250.114
   7 223.152.40.93
   7 223.152.208.143
   7 222.242.143.53
   6 93.174.93.68
   6 182.118.54.62
   6 182.118.53.149
   6 182.118.53.110
   6 114.112.90.54
   5 89.46.100.172
   5 82.221.105.6
   5 182.118.55.225
   5 182.118.54.88
   5 182.118.53.83
   5 182.118.53.120
   5 1.72.132.218
   4 222.107.91.130
   4 182.118.60.75
   4 182.118.60.57
   4 182.118.60.54
   4 182.118.55.144
   4 182.118.53.74
   4 182.118.45.250
   4 182.118.45.237
   4 150.255.118.88
   4 123.117.167.147
   4 122.226.102.84
   4 119.4.26.184
   4 112.80.138.35
   3 85.10.210.199
   3 61.55.208.115
   3 61.52.59.196
   3 61.52.50.145
   3 60.216.142.113
   3 60.216.140.18
   3 60.216.137.180
   3 60.208.164.245
   3 60.166.225.127
   3 60.16.15.219
   3 60.16.13.42
   3 60.16.1.75
   3 59.174.194.25
   3 59.174.194.181
   3 59.174.188.75
   3 59.174.188.19
   3 59.174.188.124
   3 58.243.229.40
   3 58.20.99.77
   3 58.20.99.232
   3 58.20.98.73
   3 58.20.98.202
   3 58.20.98.152
   3 58.19.1.199
   3 58.19.1.134
   3 58.19.0.80
   3 58.19.0.44
   3 49.74.81.136
   3 45.79.164.57
   3 42.92.129.95
   3 42.92.129.198
   3 36.44.99.141
   3 27.211.57.128
   3 27.211.179.63
   3 27.211.176.25
   3 27.10.76.243
   3 27.10.76.200
   3 27.10.73.165
   3 27.10.209.156
   3 222.94.97.34
   3 222.75.44.211
   3 222.75.38.105
   3 221.0.17.141
   3 220.200.25.254
   3 220.173.16.31
   3 220.169.18.75
   3 219.157.194.34
   3 219.157.193.54
   3 218.8.85.223
   3 218.58.34.35
   3 218.58.33.202
   3 217.12.204.104
   3 211.97.123.99
   3 211.97.123.86
   3 211.97.123.69
   3 211.97.123.18
   3 211.97.122.243
   3 211.138.245.224
   3 210.76.215.72
   3 210.76.194.2
   3 210.72.64.191
   3 188.138.9.50
   3 182.242.59.250
   3 182.118.60.83
   3 182.118.60.50
   3 182.118.55.159
   3 182.118.54.17
   3 182.118.45.229
   3 182.108.48.179
   3 180.109.226.40
   3 175.184.165.199
   3 175.184.160.99
   3 175.17.210.36
   3 175.17.207.106
   3 175.17.194.10
   3 175.12.104.148
   3 171.37.255.123
   3 171.37.252.38
   3 171.37.110.151
   3 171.37.108.106
   3 171.36.55.244
   3 171.36.53.76
   3 153.0.60.237
   3 150.255.22.238
   3 150.255.17.145
   3 14.104.191.70
   3 14.104.190.165
   3 14.104.189.27
   3 14.104.189.199
   3 14.104.187.67
   3 14.104.184.119
   3 139.212.96.214
   3 139.212.92.22
   3 125.76.92.26
   3 125.211.38.65
   3 125.211.38.221
   3 125.119.8.168
   3 124.90.53.224
   3 124.90.49.190
   3 124.90.48.126
   3 123.6.170.24
   3 123.6.161.177
   3 123.158.61.163
   3 123.139.23.68
   3 123.139.23.107
   3 123.139.21.15
   3 123.117.166.72
   3 123.117.165.68
   3 123.117.163.229
   3 122.96.17.218
   3 122.96.16.11
   3 122.96.130.207
   3 121.237.195.14
   3 121.237.192.58
   3 120.85.201.95
   3 120.32.70.44
   3 119.4.27.52
   3 119.4.24.45
   3 119.119.178.63
   3 119.108.158.16
   3 119.108.145.2
   3 118.81.6.145
   3 118.81.226.11
   3 118.250.141.99
   3 118.250.141.53
   3 116.114.73.249
   3 116.113.70.185
   3 115.200.236.87
   3 115.198.203.55
   3 114.97.87.250
   3 114.97.65.176
   3 114.96.165.62
   3 114.96.162.27
   3 114.221.19.131
   3 113.248.147.9
   3 113.135.99.137
   3 113.135.98.60
   3 112.80.211.55
   3 112.80.137.117
   3 112.67.214.129
   3 112.67.193.160
   3 112.66.85.203
   3 112.66.51.203
   3 112.66.28.22
   3 112.66.24.177
   3 112.193.88.15
   3 112.123.29.203
   3 112.117.16.17
   3 112.111.3.153
   3 112.111.1.249
   3 112.111.0.96
   3 112.111.0.76
   3 111.85.216.86
   3 111.85.216.59
   3 111.85.179.140
   3 111.162.153.231
   3 111.162.152.189
   3 111.162.142.161
   3 111.113.165.247
   3 110.84.209.25
   3 110.84.208.130
   3 110.84.203.102
   3 110.241.68.152
   3 110.240.175.225
   3 106.45.173.86
   3 101.68.4.31
   3 101.68.127.206
   3 101.68.126.59
   3 101.24.55.183
   3 1.31.59.58
   3 1.31.57.240
   2 91.224.160.18
   2 66.154.119.132
   2 64.34.253.40
   2 60.248.138.219
   2 59.15.16.105
   2 222.98.225.248
   2 218.17.160.22
   2 211.241.133.40
   2 210.205.0.249
   2 209.183.219.246
   2 188.138.1.218
   2 182.118.60.87
   2 182.118.60.63
   2 182.118.60.56
   2 182.118.60.48
   2 182.118.60.37
   2 182.118.60.19
   2 182.118.60.15
   2 182.118.60.14
   2 182.118.60.115
   2 182.118.55.240
   2 182.118.55.212
   2 182.118.55.210
   2 182.118.55.202
   2 182.118.55.200
   2 182.118.55.196
   2 182.118.55.185
   2 182.118.55.179
   2 182.118.55.175
   2 182.118.55.165
   2 182.118.55.161
   2 182.118.55.153
   2 182.118.55.147
   2 182.118.55.135
   2 182.118.55.114
   2 182.118.55.113
   2 182.118.54.86
   2 182.118.54.56
   2 182.118.54.54
   2 182.118.54.21
   2 182.118.54.19
   2 182.118.54.12
   2 182.118.54.115
   2 182.118.54.114
   2 182.118.54.109
   2 182.118.54.102
   2 182.118.53.99
   2 182.118.53.86
   2 182.118.53.81
   2 182.118.53.70
   2 182.118.53.52
   2 182.118.53.37
   2 182.118.53.252
   2 182.118.53.235
   2 182.118.53.225
   2 182.118.53.218
   2 182.118.53.213
   2 182.118.53.207
   2 182.118.53.201
   2 182.118.53.200
   2 182.118.53.194
   2 182.118.53.168
   2 182.118.53.150
   2 182.118.53.143
   2 182.118.53.138
   2 182.118.53.132
   2 182.118.53.106
   2 182.118.53.101
   2 182.118.45.245
   2 182.118.45.217
   2 171.13.14.51
   2 171.13.14.3
   2 171.13.14.29
   2 159.226.134.253
   2 113.17.173.12
   2 112.123.27.200
   2 107.178.109.9
   2 101.226.179.84
   1 95.211.191.156
   1 94.102.49.207
   1 93.174.95.83
   1 93.174.93.235
   1 92.247.120.60
   1 89.40.71.152
   1 89.248.174.100
   1 89.248.169.35
   1 80.82.78.27
   1 80.82.65.59
   1 80.82.65.205
   1 80.82.64.68
   1 69.164.203.180
   1 66.154.119.29
   1 66.154.119.12
   1 66.154.119.11
   1 66.154.119.108
   1 64.34.251.53
   1 64.215.242.5
   1 60.21.167.126
   1 23.94.17.2
   1 217.71.50.2
   1 211.195.214.9
   1 211.186.255.122
   1 203.195.168.197
   1 202.74.40.117
   1 198.52.103.155
   1 198.12.86.74
   1 198.12.86.234
   1 195.211.154.157
   1 195.211.154.133
   1 192.74.249.136
   1 178.208.77.51
   1 125.220.140.248
   1 124.95.181.13
   1 123.140.204.6
   1 122.116.6.168
   1 121.225.246.214
   1 114.34.252.247
   1 112.216.55.162
   1 111.192.165.77
   1 107.151.195.229
ujp:log vpnserver$

　これでみると，183.60.48.25と113.108.21.16以外にも，沢山接続されていることがわかるので，これらをRejectしていく．これでみるとトップ４は全部中国だ．

さらにログを集計してdrop対象を絞り込む

　IPアドレスの第２クォートで集計してみる．

ujp:log vpnserver$ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sed 's/\./ /g'|awk '{print $1"." $2".*.*"}'|sort|uniq -c|sort -r|more
 855 183.60.*.*
 290 61.240.*.*
 258 113.108.*.*
 223 91.214.*.*
 209 180.153.*.*
 199 182.118.*.*
 186 37.46.*.*
 165 42.156.*.*
 130 218.77.*.*
 121 61.160.*.*
 101 71.6.*.*
  90 42.120.*.*
  82 66.240.*.*
  58 198.20.*.*
  33 92.247.*.*
  28 160.249.*.*
  27 85.25.*.*
  27 14.17.*.*
  18 14.104.*.*
  15 59.174.*.*
  15 58.20.*.*
  15 211.97.*.*
  14 223.152.*.*
  13 91.192.*.*
  13 123.117.*.*
  12 58.19.*.*
  12 27.10.*.*
  12 171.37.*.*
  12 112.66.*.*
  12 112.111.*.*
  10 150.255.*.*
  10 119.4.*.*
  10 112.80.*.*
  10 112.216.*.*
   9 60.216.*.*
   9 60.16.*.*
   9 27.211.*.*
   9 175.17.*.*
   9 124.90.*.*
ujp:log vpnserver$

　これでトップ10を出してみる．

ujp:log vpnserver$ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sed 's/\./ /g'|awk '{print $1"." $2".*.*"}'|sort|uniq -c|sort -r|head -n 10
 855 183.60.*.*
 290 61.240.*.*
 258 113.108.*.*
 223 91.214.*.*
 209 180.153.*.*
 199 182.118.*.*
 186 37.46.*.*
 165 42.156.*.*
 130 218.77.*.*
 121 61.160.*.*
ujp:log vpnserver$

　この不正アクセスしてきているIPアドレスのトップ10について，whoisコマンドでどの国の所属か確認してみる．

MBA2011:~ ujp$ whois 183.60.0.0|grep country
country:        CN
country:        CN
MBA2011:~ ujp$ whois 61.240.0.0|grep country
country:        CN
country:        CN
MBA2011:~ ujp$ whois 113.108.0.0|grep country
country:        CN
country:        CN
country:        CN
MBA2011:~ ujp$ whois 91.214.0.0|grep country
country:        PL
MBA2011:~ ujp$ whois 180.153.0.0|grep country
country:        CN
country:        CN
MBA2011:~ ujp$ whois 182.118.0.0|grep country
country:        CN
country:        CN
country:        CN
country:        CN
MBA2011:~ ujp$ whois 37.46.0.0|grep country
country:        GB
MBA2011:~ ujp$ whois 42.156.0.0|grep country
country:        CN
country:        CN
country:        CN
MBA2011:~ ujp$ whois 218.77.0.0|grep country
country:        CN
country:        CN
country:        CN
MBA2011:~ ujp$ whois 61.160.0.0|grep country
country:        CN
country:        CN
country:        CN
country:        CN
MBA2011:~ ujp$

　CNは中国ですが，GBはグレートブリテン，つまりイギリス．そしてPLはポーランド．

ブロックするIPアドレスを決定する

　ブロックするIPアドレスを多くすれば制度はあがるがFirewallのCPU負荷が高くなるので，ルール設定を最小にしてみることを考える．まずはIPアドレスだけで個数を確認する．トップ10だけとしている．

ujp:log vpnserver $ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sort|uniq -c|sort -r|head -n 10
 855 183.60.48.25
 258 113.108.21.16
 223 91.214.71.176
 209 180.153.113.141
 164 37.46.105.40
 130 218.77.79.38
 121 61.160.224.129
  91 61.240.144.66
  78 61.240.144.65
  67 61.240.144.64
ujp:log vpnserver $

　ここでは61.240.*.*が３行ほどでているので，これはまとめることとする．

RTX1100でフィルタを設定する

　これまで調べたIPアドレスのトップ10をブロックしてみる．

# ip filter 2512 reject 91.214.71.176 * * * *
# ip filter 2513 reject 180.153.113.141 * * * *
# ip filter 2514 reject 37.46.105.40 * * * *
# ip filter 2515 reject 218.77.79.38 * * * *
# ip filter 2516 reject 61.160.224.129 * * * *
# ip filter 2517 reject 61.240.*.* * * * *
# ip filter 2518 reject 182.118.*.* * * * *
# pp select 1
pp1# ip pp secure filter in 2510 2511 2512 2513 2514 2516 2517 2518 2000 2001 2098 2002 2003 2004 2005 2006 2007 2008 2009 2010 2099 dynamic 2100 2101 2102 2103 2104 2105 2106
pp1# save
Saving ... CONFIG1 Done .
pp1#

　またこれでしばらく様子を見てみる．

Attach file:

Counter: 4991, today: 2, yesterday: 1

Last-modified: 2017-12-03 (Sun) 02:04:42 (JST) (2629d) by nobuaki