Hallo miteinander, seit einigen Tagen stelle ich vermehrt fest, dass Bots nach offenen Ports scannen:
Oct 22 19:27:07 (none) kern.info dropbear[23352]: Child connection from 122.160.219.81:4331 Oct 22 19:27:07 (none) kern.info dropbear[23352]: exit before auth: Exited normally Oct 22 19:39:15 (none) kern.info dropbear[25928]: Child connection from 122.160.219.81:3696 Oct 22 19:39:16 (none) kern.info dropbear[25928]: exit before auth: Disconnect received Oct 22 19:40:31 (none) kern.info dropbear[26174]: Child connection from 122.160.219.81:2449 Oct 22 19:40:32 (none) kern.info dropbear[26174]: exit before auth: Disconnect received Oct 22 19:41:25 (none) kern.info dropbear[26346]: Child connection from 122.160.219.81:1200 Oct 22 19:41:25 (none) kern.info dropbear[26346]: exit before auth: Disconnect received Oct 22 19:42:18 (none) kern.info dropbear[26586]: Child connection from 122.160.219.81:3973 Oct 22 19:42:19 (none) kern.info dropbear[26586]: exit before auth: Disconnect received Oct 22 19:43:52 (none) syslog.info -- MARK -- Oct 22 19:44:05 (none) kern.info dropbear[26943]: Child connection from 122.160.219.81:2998 Oct 22 19:44:07 (none) kern.info dropbear[26943]: exit before auth: Disconnect received Oct 22 19:45:01 (none) kern.info dropbear[27113]: Child connection from 122.160.219.81:1119 Oct 22 19:45:02 (none) kern.info dropbear[27113]: exit before auth: Disconnect received Oct 22 19:45:33 (none) kern.info dropbear[27283]: Child connection from 122.160.219.81:4071 Oct 22 19:45:35 (none) kern.info dropbear[27283]: exit before auth: Disconnect received Oct 22 19:45:59 (none) kern.info dropbear[27359]: Child connection from 122.160.219.81:3027 Oct 22 19:46:00 (none) kern.info dropbear[27359]: exit before auth: Disconnect received Oct 22 19:46:32 (none) kern.info dropbear[27468]: Child connection from 122.160.219.81:2363 Oct 22 19:46:32 (none) kern.info dropbear[27468]: exit before auth: Disconnect received Oct 22 19:47:02 (none) kern.info dropbear[27574]: Child connection from 122.160.219.81:1578 Oct 22 19:47:03 (none) kern.info dropbear[27574]: exit before auth: Disconnect received Oct 22 19:47:32 (none) kern.info dropbear[27659]: Child connection from 122.160.219.81:4800 Oct 22 19:47:33 (none) kern.info dropbear[27659]: exit before auth: Disconnect received Oct 22 19:48:03 (none) kern.info dropbear[27778]: Child connection from 122.160.219.81:4283 Oct 22 19:48:04 (none) kern.info dropbear[27778]: exit before auth: Disconnect received Oct 22 19:48:36 (none) kern.info dropbear[27930]: Child connection from 122.160.219.81:4177 Oct 22 19:48:39 (none) kern.info dropbear[27930]: exit before auth: Disconnect received Wenn man nach den Quell-IPs googlet und sie mit utrace.de zurückverfolgt, landet man in Shanghai oder den USA. Nach einem Portscan der IPs bieten die Linuxmaschinen verschiedenen Dienste wie ftp, dns, http und https an. Hat jemand das gleiche Phänomen? Was steckt dahinter? Wozu das ganze? Ich habe die SSH-Verbindungsaufbauten WAN-seitig auf zwei pro Minute beschränkt, um nicht zuviel Angriffsfläche zu bieten: iptables -I INPUT -p tcp --dport 22 -i vlan1 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i vlan1 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP -- tipuraneo _______________________________________________ freifunk-leipzig mailing list [email protected] https://lists.subsignal.org/mailman/listinfo/freifunk-leipzig
