- 現在との差分 を表示
- ソース を表示
- YAMAHA/RTX/show_status_boot へ行く。
1: 2017-12-03 (日) 01:48:59 nobuaki | 2: 2017-12-03 (日) 02:07:31 shinnai | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | *ヤマハのRTX1100で中国からの不正なVPNをブロックする [#s9bfbea5] | + | TITLE:show status bootで起動情報を確認する! |
+ | *show status bootで起動情報を確認する [#f4d59b8c] | ||
- | **はじめに [#m95a8806] | + | ヤマハのルータRTX1100が調子悪いので情報を確認する. |
- | ヤマハのVPNルータRTX1100が再起動していたので,原因を調べたらインターネット側からの攻撃があるということだったので調べて見る. | + | **起動した日付を確認 [#vf5d7d60] |
- | **syslogからの調査 [#pf2e552c] | + | show environmentコマンドで,起動日時を確認する. |
- | VPNはPPTPを使いっていて,GREで1723ポートを使っているので,そこのへのアクセスしてきたログを調べて見る. | + | # show environment🆑 |
+ | RTX1100 BootROM Rev.5.07 | ||
+ | RTX1100 Rev.8.03.88 (Fri Mar 5 16:31:42 2010) | ||
+ | main: RTX1100 ver=c0 serial=N1A000000 MAC-Address=be MAC-Address=bf MAC-Address=c0 | ||
+ | CPU: 4%(5sec) 4%(1min) 4%(5min) Memory: 30% used | ||
+ | Firmware: exec0 Config. file: config1 | ||
+ | Default firmware: exec0 Default config. file: config1 | ||
+ | Boot time: 2015/07/14 22:01:39 +09:00🈁 | ||
+ | Current time: 2015/10/07 19:00:58 +09:00🈁 | ||
+ | Elapsed time from boot: 84days 20:59:19 | ||
+ | Security Class: 1, FORGET: ON, TELNET: OFF | ||
+ | # | ||
- | pp1# show log|grep 1723 | + | 今日が10月7日で,起動したのが7月14日.約3ヶ月前に再起動した覚えは,ない.詳細を確認する. |
- | 2015/10/16 04:12:41: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:41: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:52572 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:42: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:52572 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:42: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:52572 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:44: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:44: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:45: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:45: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723 | + | |
- | 2015/10/16 04:12:45: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:55607 > 192.168.0.1:1723 | + | |
- | 2015/10/16 09:26:34: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22206 > 192.168.0.1:1723 | + | |
- | 2015/10/16 09:26:37: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:39988 > 192.168.0.1:1723 | + | |
- | 2015/10/16 09:26:37: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:39988 > 192.168.0.1:1723 | + | |
- | 2015/10/16 09:26:38: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:39988 > 192.168.0.1:1723 | + | |
- | 2015/10/16 14:40:23: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723 | + | |
- | 2015/10/16 14:40:24: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723 | + | |
- | 2015/10/16 14:40:24: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723 | + | |
- | 2015/10/16 14:40:24: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723 | + | |
- | 2015/10/16 14:40:25: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723 | + | |
- | 2015/10/16 14:40:25: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:43847 > 192.168.0.1:1723 | + | |
- | 2015/10/17 01:08:17: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723 | + | |
- | 2015/10/17 01:08:19: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:25079 > 192.168.0.1:1723 | + | |
- | 2015/10/17 01:08:20: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:25079 > 192.168.0.1:1723 | + | |
- | 2015/10/17 01:08:20: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:25079 > 192.168.0.1:1723 | + | |
- | 2015/10/17 06:22:03: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723 | + | |
- | 2015/10/17 06:22:04: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:19783 > 192.168.0.1:1723 | + | |
- | 2015/10/17 06:22:05: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:19783 > 192.168.0.1:1723 | + | |
- | 2015/10/17 06:22:05: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:19783 > 192.168.0.1:1723 | + | |
- | 2015/10/17 11:35:50: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723 | + | |
- | 2015/10/17 11:35:50: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723 | + | |
- | 2015/10/17 11:35:50: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723 | + | |
- | 2015/10/17 11:35:51: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723 | + | |
- | 2015/10/17 11:35:51: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723 | + | |
- | 2015/10/17 11:35:51: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:35717 > 192.168.0.1:1723 | + | |
- | 2015/10/17 16:49:52: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723 | + | |
- | 2015/10/17 16:49:53: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723 | + | |
- | 2015/10/17 16:49:53: PP[01] Passed at IN(2009) filter: TCP 113.108.21.16:22208 > 192.168.0.1:1723 | + | |
- | 2015/10/17 16:49:53: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723 | + | |
- | 2015/10/17 16:49:54: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723 | + | |
- | 2015/10/17 16:49:54: PP[01] Passed at IN(2009) filter: TCP 183.60.48.25:38887 > 192.168.0.1:1723 | + | |
- | pp1# | + | |
- | 183.60.48.25と113.108.21.16からのアクセスがあることがわかった. | + | **show status boot [#je525ff2] |
- | **RTXでフィルタ設定をする [#r2f56cf8] | + | show status bootコマンドで,前回の再起動理由を確認してみる. |
- | 不正アクセスがあったアドレスをリジェクト(拒否)するフィルタを作成. | + | # show status boot🆑 |
+ | RTX1100 Rev.8.03.88 (Fri Mar 5 16:31:42 2010) | ||
+ | Rebooted by Address error [load/fetch](4)🈁 | ||
+ | PC=80330f98 SP=81e13380 FP=81e13410 GP=80586730 | ||
+ | SR=1000c003 CAUSE=10000010 BAD=814b09a7 LO=666667a8 HI=000000d6 | ||
+ | $00=00000000 $01=80580000 $02=00000001 $03=80586734 | ||
+ | $04=00000000 $05=81e13380 $06=00000001 $07=8124e5b8 | ||
+ | $08=80379ba8 $09=81b1bec0 $10=81b1bec0 $11=4d5b1591 | ||
+ | $12=00000000 $13=80586aac $14=00000001 $15=8098d740 | ||
+ | $16=00000003 $17=81b1be0c $18=0000000f $19=814b09a7 | ||
+ | $20=8057e8e0 $21=81251a7c $22=00000001 $23=81e13490 | ||
+ | $24=80580000 $25=00000000 $26=8100f330 $27=80c75e94 | ||
+ | $28=80586730 $29=81e13380 $30=81e13410 $31=80330f4c | ||
+ | Stack dump: | ||
+ | 00000002 80d24dcc 00001000 8038df40 |......M......8.@ | ||
+ | 81251a7c 00000003 0000001c 00000003 |.%.|............ | ||
+ | 00000003 00000001 8032fad8 8032f99c |.........2...2.. | ||
+ | 1002dd98 5bd647b0 00000000 00000000 |....[.G......... | ||
+ | 80580704 81e1343b 80580000 80580000 |.X....4;.X...X.. | ||
+ | 80580000 80b09a10 00000001 80b10000 |.X.............. | ||
+ | 00000004 c0a81401 00000001 8038e104 |.............8.. | ||
+ | 80580704 81e1343b 00000004 5bd647b0 |.X....4;....[.G. | ||
+ | 00000033 80b09a10 00000001 8038ed2c |...3.........8., | ||
+ | 00000004 00000000 00000000 00000000 |................ | ||
+ | 00000000 00000000 00000000 00000000 |................ | ||
+ | 00000000 00000000 00000000 00000000 |................ | ||
+ | 00000000 00000000 00000000 00000000 |................ | ||
+ | 00000000 00000000 00000000 00000000 |................ | ||
+ | 00000000 00000000 00000000 00000000 |................ | ||
+ | 00000000 00000000 00000000 00000000 |................ | ||
+ | # | ||
- | pp1# ip filter 2510 reject-log 183.60.48.25 * * * * | + | Rebooted by Address errorとでている.ファームウェアをアップデートするくらいしか方法がないかと考えてみたら,以下のような文書があった. |
- | pp1# ip filter 2511 reject-log 113.108.21.16 * * * * | + | |
- | pp1# | + | |
- | ちゃんとリジェクトされたか確認するために,ログを残すようにreject-logとする. | + | |
- | そして,フィルタをセットする. | + | |
- | pp1# pp select 1 | + | インターネットからの攻撃によるヤマハルーターのリブート等について | |
- | pp1# ip pp secure filter in 2510 2511 2000 2001 2098 2002 2003 2004 2005 2006 2007 2008 2009 2010 2099 dynamic 2100 2101 2102 2103 2104 2105 2106 | + | http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/attack-from-internet-201404.html |
- | pp1# | + | |
- | これでしらばく様子を見る. | + | 一部引用. |
- | **数日経過してRejectedを確認 [#fc9700ee] | + | 最終変更日 2015/Jul/23 |
+ | 文書サイズ 5.9K | ||
+ | インターネットからの攻撃によるヤマハルーターのリブート等について | ||
+ | 本情報は随時更新されます。最新情報にご注意ください。 | ||
+ | 2014年4月8日から、インターネットに接続しているヤマハルーターが突然リブートしたり、 | ||
+ | ハングアップしてインターネットに接続できなくなるなどの症状が報告されています。 | ||
- | タイトルの徹ですが,リジェクトを確認しました.これでフィルタが動作していることが確認できました. | + | なるほど. |
- | > show log reverse|grep 1723 | + | ちなみに,restartコマンドで再起動した時は,次のように表示される. |
- | 2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.21:1723 | + | |
- | 2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.23:1723 | + | |
- | 2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.19:1723 | + | |
- | 2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.16:1723 | + | |
- | 2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.20:1723 | + | |
- | 2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 203.141.135.18:1723 | + | |
- | 2015/10/21 09:53:38: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22203 > 192.168.0.1:1723 | + | |
- | 2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.23:1723 | + | |
- | 2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.21:1723 | + | |
- | 2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.19:1723 | + | |
- | 2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.18:1723 | + | |
- | 2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.20:1723 | + | |
- | 2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.22:1723 | + | |
- | 2015/10/21 04:39:35: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723 | + | |
- | 2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.21:1723 | + | |
- | 2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.23:1723 | + | |
- | 2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.19:1723 | + | |
- | 2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.16:1723 | + | |
- | 2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.18:1723 | + | |
- | 2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 203.141.135.20:1723 | + | |
- | 2015/10/20 23:25:44: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22200 > 192.168.0.1:1723 | + | |
- | 2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.20:1723 | + | |
- | 2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.16:1723 | + | |
- | 2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.18:1723 | + | |
- | 2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 192.168.0.1:1723 | + | |
- | 2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.21:1723 | + | |
- | 2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.19:1723 | + | |
- | 2015/10/20 18:11:54: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.23:1723 | + | |
- | 2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.21:1723 | + | |
- | 2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.19:1723 | + | |
- | 2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.20:1723 | + | |
- | 2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 192.168.0.1:1723 | + | |
- | 2015/10/20 12:57:56: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22207 > 203.141.135.16:1723 | + | |
- | 2015/10/20 07:43:58: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 203.141.135.19:1723 | + | |
- | 2015/10/20 07:43:58: PP[01] Rejected at IN(2511) filter: TCP 113.108.21.16:22202 > 192.168.0.1:1723 | + | |
- | > | + | |
- | これを見ていると,普通にIPアドレスの末尾を連番で接続してきているのがわかります. | + | # show status boot🆑 |
- | + | RTX1100 Rev.8.03.88 (Fri Mar 5 16:31:42 2010) | |
- | **RTXへの1723ポートへの接続を過去ログをsyslogから調べてみる [#c9c4958a] | + | Restart by restart command🈁 |
- | + | # | |
- | RTX1100のログはsyslogサーバへ転送しているので,そのログからPPTPによるVPN(1723)へ接続してきているIPアドレスを調べる. | + | |
- | + | ||
- | ujp:log vpnserver$ grep ":1723" rtx.log|head | + | |
- | May 14 14:01:18 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 180.153.113.141:22207 > 192.168.0.1:1723 | + | |
- | May 14 14:01:19 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 183.60.48.25:27519 > 192.168.0.1:1723 | + | |
- | May 15 05:10:21 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 112.216.163.130:6000 > 192.168.0.1:1723 | + | |
- | May 15 16:42:05 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 218.17.160.22:42861 > 192.168.0.1:1723 | + | |
- | May 16 14:01:23 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 180.153.113.141:22208 > 192.168.0.1:1723 | + | |
- | May 16 14:01:23 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 183.60.48.25:44856 > 192.168.0.1:1723 | + | |
- | May 16 17:32:57 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 112.216.163.130:6000 > 192.168.0.1:1723 | + | |
- | May 17 21:32:36 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 114.112.90.54:35337 > 192.168.0.1:1723 | + | |
- | May 17 21:32:37 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 114.112.90.54:35337 > 192.168.0.1:1723 | + | |
- | May 17 21:32:38 203.141.135.17 PP[01] Passed at IN(2009) filte]: TCP 114.112.90.54:35337 > 192.168.0.1:1723 | + | |
- | ujp:log vpnserver$ | + | |
- | + | ||
- | source IPアドレスを取り出すために,次のようにコマンドを設定. | + | |
- | + | ||
- | ujp:log vpnserver$ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sort|uniq -c|sort -r | + | |
- | 855 183.60.48.25 | + | |
- | 258 113.108.21.16 | + | |
- | 223 91.214.71.176 | + | |
- | 209 180.153.113.141 | + | |
- | 164 37.46.105.40 | + | |
- | 130 218.77.79.38 | + | |
- | 121 61.160.224.129 | + | |
- | 91 61.240.144.66 | + | |
- | 78 61.240.144.65 | + | |
- | 67 61.240.144.64 | + | |
- | 54 61.240.144.67 | + | |
- | 50 66.240.192.138 | + | |
- | 38 42.120.142.221 | + | |
- | 36 71.6.167.142 | + | |
- | 36 71.6.135.131 | + | |
- | 33 198.20.69.98 | + | |
- | 32 92.247.120.50 | + | |
- | 32 66.240.236.119 | + | |
- | 29 71.6.165.200 | + | |
- | 27 85.25.103.50 | + | |
- | 27 14.17.35.181 | + | |
- | 25 198.20.70.114 | + | |
- | 24 42.156.250.110 | + | |
- | 22 42.156.250.112 | + | |
- | 22 42.156.250.111 | + | |
- | 22 37.46.105.77 | + | |
- | 21 42.120.142.220 | + | |
- | 20 42.156.250.115 | + | |
- | 19 42.120.142.223 | + | |
- | 18 42.156.250.116 | + | |
- | 18 42.156.250.113 | + | |
- | 17 42.156.250.119 | + | |
- | 15 160.249.228.226 | + | |
- | 13 91.192.92.18 | + | |
- | 13 160.249.248.137 | + | |
- | 12 42.120.142.222 | + | |
- | 10 42.156.250.117 | + | |
- | 9 112.216.163.130 | + | |
- | 8 93.120.27.62 | + | |
- | 7 42.156.250.118 | + | |
- | 7 42.156.250.114 | + | |
- | 7 223.152.40.93 | + | |
- | 7 223.152.208.143 | + | |
- | 7 222.242.143.53 | + | |
- | 6 93.174.93.68 | + | |
- | 6 182.118.54.62 | + | |
- | 6 182.118.53.149 | + | |
- | 6 182.118.53.110 | + | |
- | 6 114.112.90.54 | + | |
- | 5 89.46.100.172 | + | |
- | 5 82.221.105.6 | + | |
- | 5 182.118.55.225 | + | |
- | 5 182.118.54.88 | + | |
- | 5 182.118.53.83 | + | |
- | 5 182.118.53.120 | + | |
- | 5 1.72.132.218 | + | |
- | 4 222.107.91.130 | + | |
- | 4 182.118.60.75 | + | |
- | 4 182.118.60.57 | + | |
- | 4 182.118.60.54 | + | |
- | 4 182.118.55.144 | + | |
- | 4 182.118.53.74 | + | |
- | 4 182.118.45.250 | + | |
- | 4 182.118.45.237 | + | |
- | 4 150.255.118.88 | + | |
- | 4 123.117.167.147 | + | |
- | 4 122.226.102.84 | + | |
- | 4 119.4.26.184 | + | |
- | 4 112.80.138.35 | + | |
- | 3 85.10.210.199 | + | |
- | 3 61.55.208.115 | + | |
- | 3 61.52.59.196 | + | |
- | 3 61.52.50.145 | + | |
- | 3 60.216.142.113 | + | |
- | 3 60.216.140.18 | + | |
- | 3 60.216.137.180 | + | |
- | 3 60.208.164.245 | + | |
- | 3 60.166.225.127 | + | |
- | 3 60.16.15.219 | + | |
- | 3 60.16.13.42 | + | |
- | 3 60.16.1.75 | + | |
- | 3 59.174.194.25 | + | |
- | 3 59.174.194.181 | + | |
- | 3 59.174.188.75 | + | |
- | 3 59.174.188.19 | + | |
- | 3 59.174.188.124 | + | |
- | 3 58.243.229.40 | + | |
- | 3 58.20.99.77 | + | |
- | 3 58.20.99.232 | + | |
- | 3 58.20.98.73 | + | |
- | 3 58.20.98.202 | + | |
- | 3 58.20.98.152 | + | |
- | 3 58.19.1.199 | + | |
- | 3 58.19.1.134 | + | |
- | 3 58.19.0.80 | + | |
- | 3 58.19.0.44 | + | |
- | 3 49.74.81.136 | + | |
- | 3 45.79.164.57 | + | |
- | 3 42.92.129.95 | + | |
- | 3 42.92.129.198 | + | |
- | 3 36.44.99.141 | + | |
- | 3 27.211.57.128 | + | |
- | 3 27.211.179.63 | + | |
- | 3 27.211.176.25 | + | |
- | 3 27.10.76.243 | + | |
- | 3 27.10.76.200 | + | |
- | 3 27.10.73.165 | + | |
- | 3 27.10.209.156 | + | |
- | 3 222.94.97.34 | + | |
- | 3 222.75.44.211 | + | |
- | 3 222.75.38.105 | + | |
- | 3 221.0.17.141 | + | |
- | 3 220.200.25.254 | + | |
- | 3 220.173.16.31 | + | |
- | 3 220.169.18.75 | + | |
- | 3 219.157.194.34 | + | |
- | 3 219.157.193.54 | + | |
- | 3 218.8.85.223 | + | |
- | 3 218.58.34.35 | + | |
- | 3 218.58.33.202 | + | |
- | 3 217.12.204.104 | + | |
- | 3 211.97.123.99 | + | |
- | 3 211.97.123.86 | + | |
- | 3 211.97.123.69 | + | |
- | 3 211.97.123.18 | + | |
- | 3 211.97.122.243 | + | |
- | 3 211.138.245.224 | + | |
- | 3 210.76.215.72 | + | |
- | 3 210.76.194.2 | + | |
- | 3 210.72.64.191 | + | |
- | 3 188.138.9.50 | + | |
- | 3 182.242.59.250 | + | |
- | 3 182.118.60.83 | + | |
- | 3 182.118.60.50 | + | |
- | 3 182.118.55.159 | + | |
- | 3 182.118.54.17 | + | |
- | 3 182.118.45.229 | + | |
- | 3 182.108.48.179 | + | |
- | 3 180.109.226.40 | + | |
- | 3 175.184.165.199 | + | |
- | 3 175.184.160.99 | + | |
- | 3 175.17.210.36 | + | |
- | 3 175.17.207.106 | + | |
- | 3 175.17.194.10 | + | |
- | 3 175.12.104.148 | + | |
- | 3 171.37.255.123 | + | |
- | 3 171.37.252.38 | + | |
- | 3 171.37.110.151 | + | |
- | 3 171.37.108.106 | + | |
- | 3 171.36.55.244 | + | |
- | 3 171.36.53.76 | + | |
- | 3 153.0.60.237 | + | |
- | 3 150.255.22.238 | + | |
- | 3 150.255.17.145 | + | |
- | 3 14.104.191.70 | + | |
- | 3 14.104.190.165 | + | |
- | 3 14.104.189.27 | + | |
- | 3 14.104.189.199 | + | |
- | 3 14.104.187.67 | + | |
- | 3 14.104.184.119 | + | |
- | 3 139.212.96.214 | + | |
- | 3 139.212.92.22 | + | |
- | 3 125.76.92.26 | + | |
- | 3 125.211.38.65 | + | |
- | 3 125.211.38.221 | + | |
- | 3 125.119.8.168 | + | |
- | 3 124.90.53.224 | + | |
- | 3 124.90.49.190 | + | |
- | 3 124.90.48.126 | + | |
- | 3 123.6.170.24 | + | |
- | 3 123.6.161.177 | + | |
- | 3 123.158.61.163 | + | |
- | 3 123.139.23.68 | + | |
- | 3 123.139.23.107 | + | |
- | 3 123.139.21.15 | + | |
- | 3 123.117.166.72 | + | |
- | 3 123.117.165.68 | + | |
- | 3 123.117.163.229 | + | |
- | 3 122.96.17.218 | + | |
- | 3 122.96.16.11 | + | |
- | 3 122.96.130.207 | + | |
- | 3 121.237.195.14 | + | |
- | 3 121.237.192.58 | + | |
- | 3 120.85.201.95 | + | |
- | 3 120.32.70.44 | + | |
- | 3 119.4.27.52 | + | |
- | 3 119.4.24.45 | + | |
- | 3 119.119.178.63 | + | |
- | 3 119.108.158.16 | + | |
- | 3 119.108.145.2 | + | |
- | 3 118.81.6.145 | + | |
- | 3 118.81.226.11 | + | |
- | 3 118.250.141.99 | + | |
- | 3 118.250.141.53 | + | |
- | 3 116.114.73.249 | + | |
- | 3 116.113.70.185 | + | |
- | 3 115.200.236.87 | + | |
- | 3 115.198.203.55 | + | |
- | 3 114.97.87.250 | + | |
- | 3 114.97.65.176 | + | |
- | 3 114.96.165.62 | + | |
- | 3 114.96.162.27 | + | |
- | 3 114.221.19.131 | + | |
- | 3 113.248.147.9 | + | |
- | 3 113.135.99.137 | + | |
- | 3 113.135.98.60 | + | |
- | 3 112.80.211.55 | + | |
- | 3 112.80.137.117 | + | |
- | 3 112.67.214.129 | + | |
- | 3 112.67.193.160 | + | |
- | 3 112.66.85.203 | + | |
- | 3 112.66.51.203 | + | |
- | 3 112.66.28.22 | + | |
- | 3 112.66.24.177 | + | |
- | 3 112.193.88.15 | + | |
- | 3 112.123.29.203 | + | |
- | 3 112.117.16.17 | + | |
- | 3 112.111.3.153 | + | |
- | 3 112.111.1.249 | + | |
- | 3 112.111.0.96 | + | |
- | 3 112.111.0.76 | + | |
- | 3 111.85.216.86 | + | |
- | 3 111.85.216.59 | + | |
- | 3 111.85.179.140 | + | |
- | 3 111.162.153.231 | + | |
- | 3 111.162.152.189 | + | |
- | 3 111.162.142.161 | + | |
- | 3 111.113.165.247 | + | |
- | 3 110.84.209.25 | + | |
- | 3 110.84.208.130 | + | |
- | 3 110.84.203.102 | + | |
- | 3 110.241.68.152 | + | |
- | 3 110.240.175.225 | + | |
- | 3 106.45.173.86 | + | |
- | 3 101.68.4.31 | + | |
- | 3 101.68.127.206 | + | |
- | 3 101.68.126.59 | + | |
- | 3 101.24.55.183 | + | |
- | 3 1.31.59.58 | + | |
- | 3 1.31.57.240 | + | |
- | 2 91.224.160.18 | + | |
- | 2 66.154.119.132 | + | |
- | 2 64.34.253.40 | + | |
- | 2 60.248.138.219 | + | |
- | 2 59.15.16.105 | + | |
- | 2 222.98.225.248 | + | |
- | 2 218.17.160.22 | + | |
- | 2 211.241.133.40 | + | |
- | 2 210.205.0.249 | + | |
- | 2 209.183.219.246 | + | |
- | 2 188.138.1.218 | + | |
- | 2 182.118.60.87 | + | |
- | 2 182.118.60.63 | + | |
- | 2 182.118.60.56 | + | |
- | 2 182.118.60.48 | + | |
- | 2 182.118.60.37 | + | |
- | 2 182.118.60.19 | + | |
- | 2 182.118.60.15 | + | |
- | 2 182.118.60.14 | + | |
- | 2 182.118.60.115 | + | |
- | 2 182.118.55.240 | + | |
- | 2 182.118.55.212 | + | |
- | 2 182.118.55.210 | + | |
- | 2 182.118.55.202 | + | |
- | 2 182.118.55.200 | + | |
- | 2 182.118.55.196 | + | |
- | 2 182.118.55.185 | + | |
- | 2 182.118.55.179 | + | |
- | 2 182.118.55.175 | + | |
- | 2 182.118.55.165 | + | |
- | 2 182.118.55.161 | + | |
- | 2 182.118.55.153 | + | |
- | 2 182.118.55.147 | + | |
- | 2 182.118.55.135 | + | |
- | 2 182.118.55.114 | + | |
- | 2 182.118.55.113 | + | |
- | 2 182.118.54.86 | + | |
- | 2 182.118.54.56 | + | |
- | 2 182.118.54.54 | + | |
- | 2 182.118.54.21 | + | |
- | 2 182.118.54.19 | + | |
- | 2 182.118.54.12 | + | |
- | 2 182.118.54.115 | + | |
- | 2 182.118.54.114 | + | |
- | 2 182.118.54.109 | + | |
- | 2 182.118.54.102 | + | |
- | 2 182.118.53.99 | + | |
- | 2 182.118.53.86 | + | |
- | 2 182.118.53.81 | + | |
- | 2 182.118.53.70 | + | |
- | 2 182.118.53.52 | + | |
- | 2 182.118.53.37 | + | |
- | 2 182.118.53.252 | + | |
- | 2 182.118.53.235 | + | |
- | 2 182.118.53.225 | + | |
- | 2 182.118.53.218 | + | |
- | 2 182.118.53.213 | + | |
- | 2 182.118.53.207 | + | |
- | 2 182.118.53.201 | + | |
- | 2 182.118.53.200 | + | |
- | 2 182.118.53.194 | + | |
- | 2 182.118.53.168 | + | |
- | 2 182.118.53.150 | + | |
- | 2 182.118.53.143 | + | |
- | 2 182.118.53.138 | + | |
- | 2 182.118.53.132 | + | |
- | 2 182.118.53.106 | + | |
- | 2 182.118.53.101 | + | |
- | 2 182.118.45.245 | + | |
- | 2 182.118.45.217 | + | |
- | 2 171.13.14.51 | + | |
- | 2 171.13.14.3 | + | |
- | 2 171.13.14.29 | + | |
- | 2 159.226.134.253 | + | |
- | 2 113.17.173.12 | + | |
- | 2 112.123.27.200 | + | |
- | 2 107.178.109.9 | + | |
- | 2 101.226.179.84 | + | |
- | 1 95.211.191.156 | + | |
- | 1 94.102.49.207 | + | |
- | 1 93.174.95.83 | + | |
- | 1 93.174.93.235 | + | |
- | 1 92.247.120.60 | + | |
- | 1 89.40.71.152 | + | |
- | 1 89.248.174.100 | + | |
- | 1 89.248.169.35 | + | |
- | 1 80.82.78.27 | + | |
- | 1 80.82.65.59 | + | |
- | 1 80.82.65.205 | + | |
- | 1 80.82.64.68 | + | |
- | 1 69.164.203.180 | + | |
- | 1 66.154.119.29 | + | |
- | 1 66.154.119.12 | + | |
- | 1 66.154.119.11 | + | |
- | 1 66.154.119.108 | + | |
- | 1 64.34.251.53 | + | |
- | 1 64.215.242.5 | + | |
- | 1 60.21.167.126 | + | |
- | 1 23.94.17.2 | + | |
- | 1 217.71.50.2 | + | |
- | 1 211.195.214.9 | + | |
- | 1 211.186.255.122 | + | |
- | 1 203.195.168.197 | + | |
- | 1 202.74.40.117 | + | |
- | 1 198.52.103.155 | + | |
- | 1 198.12.86.74 | + | |
- | 1 198.12.86.234 | + | |
- | 1 195.211.154.157 | + | |
- | 1 195.211.154.133 | + | |
- | 1 192.74.249.136 | + | |
- | 1 178.208.77.51 | + | |
- | 1 125.220.140.248 | + | |
- | 1 124.95.181.13 | + | |
- | 1 123.140.204.6 | + | |
- | 1 122.116.6.168 | + | |
- | 1 121.225.246.214 | + | |
- | 1 114.34.252.247 | + | |
- | 1 112.216.55.162 | + | |
- | 1 111.192.165.77 | + | |
- | 1 107.151.195.229 | + | |
- | ujp:log vpnserver$ | + | |
- | + | ||
- | これでみると,183.60.48.25と113.108.21.16以外にも,沢山接続されていることがわかるので,これらをRejectしていく.これでみるとトップ4は全部中国だ. | + | |
- | + | ||
- | **さらにログを集計してdrop対象を絞り込む [#yfa08d5f] | + | |
- | + | ||
- | IPアドレスの第2クォートで集計してみる. | + | |
- | + | ||
- | ujp:log vpnserver$ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sed 's/\./ /g'|awk '{print $1"." $2".*.*"}'|sort|uniq -c|sort -r|more | + | |
- | 855 183.60.*.* | + | |
- | 290 61.240.*.* | + | |
- | 258 113.108.*.* | + | |
- | 223 91.214.*.* | + | |
- | 209 180.153.*.* | + | |
- | 199 182.118.*.* | + | |
- | 186 37.46.*.* | + | |
- | 165 42.156.*.* | + | |
- | 130 218.77.*.* | + | |
- | 121 61.160.*.* | + | |
- | 101 71.6.*.* | + | |
- | 90 42.120.*.* | + | |
- | 82 66.240.*.* | + | |
- | 58 198.20.*.* | + | |
- | 33 92.247.*.* | + | |
- | 28 160.249.*.* | + | |
- | 27 85.25.*.* | + | |
- | 27 14.17.*.* | + | |
- | 18 14.104.*.* | + | |
- | 15 59.174.*.* | + | |
- | 15 58.20.*.* | + | |
- | 15 211.97.*.* | + | |
- | 14 223.152.*.* | + | |
- | 13 91.192.*.* | + | |
- | 13 123.117.*.* | + | |
- | 12 58.19.*.* | + | |
- | 12 27.10.*.* | + | |
- | 12 171.37.*.* | + | |
- | 12 112.66.*.* | + | |
- | 12 112.111.*.* | + | |
- | 10 150.255.*.* | + | |
- | 10 119.4.*.* | + | |
- | 10 112.80.*.* | + | |
- | 10 112.216.*.* | + | |
- | 9 60.216.*.* | + | |
- | 9 60.16.*.* | + | |
- | 9 27.211.*.* | + | |
- | 9 175.17.*.* | + | |
- | 9 124.90.*.* | + | |
- | ujp:log vpnserver$ | + | |
- | + | ||
- | これでトップ10を出してみる. | + | |
- | + | ||
- | ujp:log vpnserver$ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sed 's/\./ /g'|awk '{print $1"." $2".*.*"}'|sort|uniq -c|sort -r|head -n 10 | + | |
- | 855 183.60.*.* | + | |
- | 290 61.240.*.* | + | |
- | 258 113.108.*.* | + | |
- | 223 91.214.*.* | + | |
- | 209 180.153.*.* | + | |
- | 199 182.118.*.* | + | |
- | 186 37.46.*.* | + | |
- | 165 42.156.*.* | + | |
- | 130 218.77.*.* | + | |
- | 121 61.160.*.* | + | |
- | ujp:log vpnserver$ | + | |
- | + | ||
- | この不正アクセスしてきているIPアドレスのトップ10について,whoisコマンドでどの国の所属か確認してみる. | + | |
- | + | ||
- | MBA2011:~ ujp$ whois 183.60.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ whois 61.240.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ whois 113.108.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ whois 91.214.0.0|grep country | + | |
- | country: PL | + | |
- | MBA2011:~ ujp$ whois 180.153.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ whois 182.118.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ whois 37.46.0.0|grep country | + | |
- | country: GB | + | |
- | MBA2011:~ ujp$ whois 42.156.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ whois 218.77.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ whois 61.160.0.0|grep country | + | |
- | country: CN | + | |
- | country: CN | + | |
- | country: CN | + | |
- | country: CN | + | |
- | MBA2011:~ ujp$ | + | |
- | + | ||
- | CNは中国ですが,GBはグレートブリテン,つまりイギリス.そしてPLはポーランド. | + | |
- | + | ||
- | **ブロックするIPアドレスを決定する [#q1fdca8d] | + | |
- | + | ||
- | ブロックするIPアドレスを多くすれば制度はあがるがFirewallのCPU負荷が高くなるので,ルール設定を最小にしてみることを考える.まずはIPアドレスだけで個数を確認する.トップ10だけとしている. | + | |
- | + | ||
- | ujp:log vpnserver $ grep ":1723" rtx.log|awk '{print $11}'|sed 's/:/ /g'|awk '{print $1}'|sort|uniq -c|sort -r|head -n 10 | + | |
- | 855 183.60.48.25 | + | |
- | 258 113.108.21.16 | + | |
- | 223 91.214.71.176 | + | |
- | 209 180.153.113.141 | + | |
- | 164 37.46.105.40 | + | |
- | 130 218.77.79.38 | + | |
- | 121 61.160.224.129 | + | |
- | 91 61.240.144.66 | + | |
- | 78 61.240.144.65 | + | |
- | 67 61.240.144.64 | + | |
- | ujp:log vpnserver $ | + | |
- | + | ||
- | ここでは61.240.*.*が3行ほどでているので,これはまとめることとする. | + | |
- | + | ||
- | **RTX1100でフィルタを設定する [#mfd3af79] | + | |
- | + | ||
- | これまで調べたIPアドレスのトップ10をブロックしてみる. | + | |
- | + | ||
- | # ip filter 2512 reject 91.214.71.176 * * * * | + | |
- | # ip filter 2513 reject 180.153.113.141 * * * * | + | |
- | # ip filter 2514 reject 37.46.105.40 * * * * | + | |
- | # ip filter 2515 reject 218.77.79.38 * * * * | + | |
- | # ip filter 2516 reject 61.160.224.129 * * * * | + | |
- | # ip filter 2517 reject 61.240.*.* * * * * | + | |
- | # ip filter 2518 reject 182.118.*.* * * * * | + | |
- | # pp select 1 | + | |
- | pp1# ip pp secure filter in 2510 2511 2512 2513 2514 2516 2517 2518 2000 2001 2098 2002 2003 2004 2005 2006 2007 2008 2009 2010 2099 dynamic 2100 2101 210 | + | |
- | 2 2103 2104 2105 2106 | + | |
- | pp1# save | + | |
- | Saving ... CONFIG1 Done . | + | |
- | pp1# | + | |
- | + | ||
- | またこれでしばらく様子を見てみる. | + |
- YAMAHA/RTX/show_status_boot のバックアップ一覧
- YAMAHA/RTX/show_status_boot のバックアップ差分(No. All)
- 1: 2017-12-03 (日) 01:48:59 nobuaki
- 2: 2017-12-03 (日) 02:07:31 shinnai
- 現: 2017-12-04 (月) 23:03:07 shinnai
Counter: 3706,
today: 2,
yesterday: 4