昨日,
予定外の OS 更新をしてしまった web server 機
hosho
の様子を調べる
……
うーむ,
proftpd
(これも捨てたいしくみだ)
に不正なアクセスがあるなぁ.
Nov 19 10:22:01 hosho proftpd[9041]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session opened.
Nov 19 10:22:12 hosho proftpd[9042]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session opened.
Nov 19 10:22:24 hosho proftpd[9045]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session opened.
Nov 19 10:22:36 hosho proftpd[9047]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session opened.
Nov 19 10:22:47 hosho proftpd[9048]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session opened.
Nov 19 10:22:59 hosho proftpd[9049]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session opened.
以前につくった /sbin/iptables
設定 bash スクリプトを使って 218.106.246.*
からのアクセスを「暗黒の深淵」に DROP
する設定をしてみる.
$ sudo /sbin/iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- 218.106.246.0/24 anywhere
ちゃんと設定できてるようだが
……
Nov 19 10:24:21 hosho proftpd[9089]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session opened.
# この時刻に iptables 再起動
Nov 19 10:29:21 hosho proftpd[9089]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - Session timed out, disconnected
Nov 19 10:29:21 hosho proftpd[9089]: hosho.ees.hokudai.ac.jp (::ffff:218.106.246.114[::ffff:218.106.246.114]) - FTP session closed.
おお,
うまくいった.