Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ
  FreeBSD¿¡¼­ Limiting open port RST response... ó¸® ÀÛ¼ºÀÏ : 2007/07/11 17:06
 
  • ±Û¾´ÀÌ : ÁÁÀºÁøÈ£ ( http://coffeenix.net/ )
  • Á¶È¸¼ö : 12391
     
    Á¦  ¸ñ : FreeBSD¿¡¼­ Limiting open port RST response... ó¸®
    ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
    ÀÛ¼ºÀÏ : 2007.1.4(¸ñ)
    Á¤¸®ÀÏ : 2007.7.10(È­)

    FreeBSD ¼­¹ö¿¡ 'Limiting (open|closed) port RST response from ??? to 200 packets per second' ÀÇ ·Î±×°¡ ¸¹ÀÌ ½×¿©ÀÖ´Ù¸é ¿ÜºÎ·Î ºÎÅÍ SYN ÆÐŶÀÌ °úµµÇÏ°Ô µé¾î¿Í RST ÀÀ´äÀ» ¼­¹ö¿¡¼­ º¸³½ °ÍÀÌ´Ù. 200À̶õ ¼ýÀÚ´Â FreeBSD¿¡¼­ 1ÃÊ´ç RST ÀÀ´äÀ» 200°³±îÁö º¸³»Áöµµ·Ï Á¦ÇѵǾî Àֱ⠶§¹®ÀÌ´Ù. 'open port'·Î Ç¥½ÃµÇ¸é ¿­·ÁÁø Æ÷Æ®·Î, 'closed port'ÀÌ¸é ´ÝÇôÁø Æ÷Æ®·ÎÀÇ ¿äûÀÌ µé¾î¿Â °ÍÀÌ´Ù. ÀÌ·¯ÇÑ °ø°Ý¼º ÆÐŶÀ» Â÷´ÜÇغ¸ÀÚ.

     
    Jan  3 16:08:03 ??? /kernel: Limiting open port RST response from 257 to 200 packets per second
    Jan  3 16:08:35 ??? /kernel: Limiting open port RST response from 380 to 200 packets per second
    Jan  3 16:08:37 ??? /kernel: Limiting open port RST response from 238 to 200 packets per second
    Jan  3 16:08:38 ??? /kernel: Limiting open port RST response from 253 to 200 packets per second
     


    1. tcpdump·Î IP È®ÀÎÇϱâ

    tcpdump( http://www.tcpdump.org/ )·Î ÆÐŶÀ» »ìÆ캸ÀÚ.

     
    # tcpdump -pn 'tcp[tcpflags] & (tcp-rst|tcp-syn) != 0'
    # tcpdump -pn 'tcp[tcpflags] & tcp-syn != 0'
    # tcpdump -pn 'tcp[tcpflags] & (tcp-rst|tcp-syn) != 0' and dst host ¼­¹ö_IP
     


    -p ¿É¼ÇÀº promiscuous  mode·Î ÀüȯÇÏÁö ¾Ê°í, -n Àº DNS loookupÀ» ÇÏÁö ¾Ê´Â´Ù. ±× ´ÙÀ½ Ç¥ÇöÀÌ Áß¿äÇÑ ºÎºÐÀ¸·Î TCP flagsÁß¿¡ RST, SYN flags°¡ setµÇ¾î ÀÖ´Â ÆÐŶÀÇ ÇØ´õ¸¸ Ç¥½ÃÇ϶ó´Â °ÍÀÌ´Ù. SYN ÆÐŶÀ» º¸·Á¸é 'tcp[tcpflags] & tcp-syn != 0' °ú °°ÀÌ ÇÏ¸é µÈ´Ù. ÆÐŶÀÌ ¼­¹ö·Î µé¾î¿À´Â °Í¸¸ º¸¸é µÇ¹Ç·Î 'and dst host ¼­¹ö_IP' ¸¦ Ãß°¡ÇÏ¿© º¸´Ù ¼¼¹ÐÇÑ Á¶°ÇÀ» ºÎ¿©ÇÒ ¼ö°¡ ÀÖ´Ù.

     
    09:49:52.225313 xxx.127.127.158.1837 > xxx.xxx.xxx.19.80: S 4062745060:4062745060(0) win 17520 <mss 1460> (DF)
    09:49:52.225322 xxx.127.127.158.1839 > xxx.xxx.xxx.19.80: S 3793924840:3793924840(0) win 17520 <mss 1460> (DF)
    09:49:52.225329 xxx.127.127.158.1840 > xxx.xxx.xxx.19.80: S 2084655461:2084655461(0) win 17520 <mss 1460> (DF)
    09:49:52.225336 xxx.127.127.158.1841 > xxx.xxx.xxx.19.80: S 1957858169:1957858169(0) win 17520 <mss 1460> (DF)
    09:49:52.225343 xxx.127.127.158.1842 > xxx.xxx.xxx.19.80: S 2017006258:2017006258(0) win 17520 <mss 1460> (DF)
    09:49:52.225350 xxx.127.127.158.1843 > xxx.xxx.xxx.19.80: S 672739116:672739116(0) win 17520 <mss 1460> (DF)
    09:49:52.225357 xxx.127.127.158.1844 > xxx.xxx.xxx.19.80: S 3202839341:3202839341(0) win 17520 <mss 1460> (DF)
     


    tcpdump·Î »ìÆ캻 ÆÐŶ ÇØ´õ¸¦ ÆÄÀÏ·Î ÀúÀåÇÑ´Ù. ¸î ºÐµ¿¾È¸¸ ÀúÀåÇÏ°í Ctrl+C·Î Áß´ÜÇÑ´Ù.

     
    # tcpdump Á¶°Ç > tcpdump_2007_0104.txt
     


    2. ipfw·Î Â÷´ÜÇϱâ

    ´ÙÀ½ ½ºÅ©¸³Æ®´Â tcpdump °á°ú ÆÄÀÏÀ» ÀÌ¿ëÇÏ¿© SYN ÆÐŶÀ» º¸³½ IP¸ñ·Ï¸¸ »Ì¾Æ³»´Â ½ºÅ©¸³Æ®ÀÌ´Ù.

     
    #!/bin/sh
    #
    # ip_list.sh

    if [ "$1" = "" ]; then
    ¡¡¡¡¡¡echo "Á¶È¸ÇÒ tcpdump °á°ú ÆÄÀϸíÀ» ÁöÁ¤Çϼ¼¿ä."
    ¡¡¡¡¡¡exit
    else
    ¡¡¡¡¡¡FILE=$1
    fi

    awk '{print $2}' $FILE | awk -F. '{print $1 "." $2 "." $3 "." $4}' | sort > ${FILE}_ip
    uniq -c ${FILE}_ip | sort -n
     


    ÀúÀåÇÑ ÆÄÀϸíÀÌ tcpdump_2007_0104.txt À̶ó°í ÇÒ ¶§ ´ÙÀ½°ú °°ÀÌ ½ÇÇàÇÏ¸é °á°ú¸¦ È®ÀÎÇÒ ¼ö ÀÖ´Ù.

    # ./ip_list.sh tcpdump_2007_0104.txt
    ... »ý·« ...
    137 xxx.113.1.176
    183 xxx.138.55.217
    294 xxx.xxx.xxx.254
    16260 xxx.187.218.50
    115010 xxx.127.127.158

    xxx.187.218.50 IP¿Í xxx.127.127.158´Â ÀǽÉÀÌ °¡´Â IP·Î, SYN ÆÐŶ ÀÌ¿Ü¿¡ Àü¼ÛµÇ´Â µ¥ÀÌÅÍ°¡ ÀÖ´ÂÁö ngrep µîÀÇ È®ÀÎÀ» Çغ»´Ù. ¸¸¾à Àü¼ÛµÇ´Â µ¥ÀÌÅÍ°¡ ¾øÀÌ SYNÆÐŶ¸¸ º¸³½ °ÍÀ̶ó¸é ½ºÄ³´×À̳ª SYN Ç÷¯µù °ø°ÝÀÏ °¡´É¼ºÀÌ ÀÖÀ¸¹Ç·Î ipfw µîÀÇ ¹æÈ­º® Åø·Î IP¸¦ Â÷´ÜÇÑ´Ù.

     
    # ipfw add deny ip from xxx.127.127.158 to any
    #
    # ipfw list
    00100 deny ip from xxx.127.127.158 to any
    65535 allow ip from any to any
     


    ´ùºÙ¿©¼­ ¿­·ÁÀÖÁö ¾Ê´Â Æ÷Æ®·ÎÀÇ Á¢¼Ó½Ãµµ°¡ ÀÖÀ» ¶§ ·Î±×°¡ ³²µµ·Ï  /etc/sysctl.conf¿¡ ´ÙÀ½ 2ÁÙÀ» Ãß°¡ÇØÁØ´Ù.
    ¸®ºÎÆþøÀÌ sysctl net.inet.tcp.log_in_vain=1 ó·³ shell¿¡¼­ ¸í·ÉÀ» Á÷Á¢ ÀÔ·ÂÇØÁ൵ µÈ´Ù.

     
    net.inet.tcp.log_in_vain=1
    net.inet.udp.log_in_vain=1
     


    3. Âü°íÀÚ·á

    * Re: [KFUG] dmesg .. [.../kernel: Limiting open port RST response from 333 to 200 packets per second]
      http://www.kr.freebsd.org/ml//questions/2003/11/msg00069.shtml
    * Prevent Port scaning
      http://lists.freebsd.org/pipermail/freebsd-questions/2003-December/030489.html
    * A basic guide to securing FreeBSD 4.x-STABLE
      http://draenor.org/securebsd/secure.txt



    Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ / URL : http://coffeenix.net/board_view.php?bd_code=1513