Hej NG!
Jeg har et problem med min security log, og deraf er der kommet et problem
med server belastningen:
Jeg har en clarkconnect installation på min server. Serveren står mellem
brugercomputere og router/kabelmodem Cisco 677 fra Tiscali. Altså fungerer
serveren som router til Internettet. Men min security log bliver hurtigt
meget stor, og deraf følger, at den hver nat kl. 05.00 bliver meget
belastet, når den kører cron jobbet /usr/local/snortsnarf/snortsnarf.sh
Internt netværk: 192.168.0.X
Eksternt netværk: 192.168.1.X (altså mellem Cisco og server)
Server IP: 192.168.1.2
Cisco IP: 192.168.1.1
Her er et udrag:
Nov 30 04:42:54 server snort: [1:504:3] MISC source port 53 to <1024
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP}
62.233.207.99:53 -> 192.168.1.2:139
Nov 30 04:42:56 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:43:56 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:44:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:45:09 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 62.79.39.149 ->
192.168.1.2
Nov 30 04:45:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:46:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:47:16 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 62.79.98.13 ->
192.168.1.2
Nov 30 04:47:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:48:08 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 62.80.34.166 ->
192.168.1.2
Nov 30 04:48:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:49:37 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 213.237.104.109 ->
192.168.1.2
Nov 30 04:49:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:50:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:51:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:52:47 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 213.237.104.85 ->
192.168.1.2
Nov 30 04:52:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:53:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:54:59 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Hvad er det lige for noget? Hvad skyldes det? Nogen der har en løsning på
problemet?
Se eventuelt min serverbelastning her:
https://montanagade.dk:81/stats.php?stat=load
Håber nogen kan hjælpe!
Mvh
Lasse
lasse(a)montanagade.dk