Centos 网络当掉
[color=black]Centos OS 4.4 LAMP平台正常运行4天多,突然网站,FTP,SSH都无法登录访问!可以PING通,用端口扫描没有任何端口开放(正常是开放SSH与HTTP端口),到机房,在机房用接入键盘可以登录,重启机器一切变为正常![/color] ……日志呢?日志呢? 日志都正常,但有少有的人都扫我的SSH netstat -an看端口打开情况
iptables-save看防火墙设置情况。 iptables-save
# Generated by iptables-save v1.2.11 on Wed May 14 17:32:09 2008
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27083256:39734006069]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1024:3305 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3307:65535 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed May 14 17:32:09 2008 SSH端口我已经给改掉了! netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 服务器IP地址:80 59.47.116.86:3077 SYN_RECV
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:792 0.0.0.0:* LISTEN
tcp 0 0 服务器IP地址:21 222.174.168.27:13511 ESTABLISHED
tcp 0 0 服务器IP地址:20 222.174.168.27:14051 TIME_WAIT
tcp 0 0 服务器IP地址:20 222.174.168.27:13575 TIME_WAIT
tcp 0 0 服务器IP地址:20 222.174.168.27:14149 TIME_WAIT
tcp 0 0 :::58789 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14765 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14773 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14776 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14581 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14582 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:13815 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:13811 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14588 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14589 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14584 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:13817 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:13818 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14586 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:61.241.79.6:3515 ESTABLISHED
tcp 0 1236 ::ffff:服务器IP地址:80 ::ffff:61.241.79.6:22206 FIN_WAIT1
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:61.241.79.6:48768 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:222.174.168.27:14456 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:218.108.76.4:29427 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56323 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56322 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56333 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56332 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56334 TIME_WAIT
tcp 0 13068 ::ffff:服务器IP地址:80 ::ffff:221.219.79.151:21515 ESTABLISHED
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56330 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56341 FIN_WAIT2
tcp 0 75 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56340 FIN_WAIT1
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56343 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56342 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56349 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56348 FIN_WAIT2
tcp 0 8712 ::ffff:服务器IP地址:80 ::ffff:221.219.79.151:21529 ESTABLISHED
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56344 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56347 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56346 FIN_WAIT2
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:218.108.76.4:53306 FIN_WAIT2
tcp 0 203 ::ffff:服务器IP地址:80 ::ffff:221.219.79.151:21485 ESTABLISHED
tcp 1 0 ::ffff:服务器IP地址:80 ::ffff:61.135.219.15:33351 CLOSE_WAIT
tcp 0 10080 ::ffff:服务器IP地址:80 ::ffff:59.47.116.86:3076 ESTABLISHED
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:59.47.116.86:3074 ESTABLISHED
tcp 0 912 ::ffff:服务器IP地址:80 ::ffff:59.47.116.86:3081 ESTABLISHED
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:125.115.234.15:56315 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:38.99.44.104:42507 TIME_WAIT
tcp 0 0 ::ffff:服务器IP地址:80 ::ffff:38.99.44.104:58213 TIME_WAIT
udp 0 0 0.0.0.0:786 0.0.0.0:*
udp 0 0 0.0.0.0:789 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 8195 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 8519 /var/run/iiim/.iiimp-unix/9010
unix 2 [ ] DGRAM 4308 @udevd
unix 7 [ ] DGRAM 7877 /dev/log
unix 2 [ ACC ] STREAM LISTENING 8557 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 8787 /tmp/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 8428 /dev/gpmctl
unix 2 [ ] DGRAM 201639
unix 3 [ ] STREAM CONNECTED 201354
unix 3 [ ] STREAM CONNECTED 201353
unix 2 [ ] STREAM CONNECTED 189695
unix 2 [ ] STREAM CONNECTED 96193
unix 2 [ ] DGRAM 8491
unix 2 [ ] DGRAM 8427
unix 2 [ ] DGRAM 8342
unix 3 [ ] STREAM CONNECTED 8084
unix 3 [ ] STREAM CONNECTED 8083
unix 2 [ ] DGRAM 7945
unix 2 [ ] DGRAM 7885 :INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27083256:39734006069]
:RH-Firewall-1-INPUT - [0:0]
有问题,明显INPUT没有收到任何数据包……所有的数据包都是向外发出的……
查一下连接状态吧……
估计你用tcpdump察看的话,看不到任何接收的数据包。
[[i] 本帖最后由 iamshiyu 于 2008-5-14 22:32 编辑 [/i]] 某些服是不可對外開放的,比如ssh,使用具有特定權限的賬戶登陸后那是後患無窮的.如果一一定要使用這個服務,可以嘗試使用防火墻規定可以通過ssh訪問服務器的IP或者IP段.其次是密碼儘量複雜.關于FTP做好權限設置.基本上防火墻會屏蔽掉沒有設置的IP段掃描的回應.另外linux也是可以拒絕某IP或者IP段訪問的.通過這些手段應該可以解决煩惱.至于可以ping通但是無法掃描的問題,也許當時因爲一些原因sshd或者ftpd當掉也是完全有可能的.重啓后通過腳本重新啓動SSH和FTP服務,所以就可以使用ssh和ftp了.這是其中一種可能吧,個人認爲~ 又来问题了,运行了10天后又出现这种问题,防火墙也改过了!还那样,头都快大了!
还有就是机房网络环境不是很好,
不用SSH管理那用什么管理呀!? 你的不会是这种问题,但是我奇怪你的INPUT policy是DROP,但是居然一个都没有拦下来,甚至根本没有任何数据包通过INPUT链表。另外你的SSH似乎并没有在IPTABLES里面开放,难道你改到1024~65535里面了?
另外我说了你用tcpdump抓包看看是否有数据包传到你的网卡上。
如果是本地监测,用tcpdump tcp;如果是ssh,用tcpdump not port 22 如果全部都allow了,那就没什么好奇怪的了。。。不过我对centos没有任何使用经验的说、、、 iptables-save
# Generated by iptables-save v1.2.11 on Thu May 22 07:11:04 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1507638:1832762826]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1024:3305 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3307:65535 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu May 22 07:11:04 2008
这是服务器第一次出现问题后,更改的防火墙,
SSH端口让我给改到3307:65535之间了!用22号端口时,有很多人扫的!虽然用hosts.deny可以阻挡 有人扫就把它封掉吧……我的网络
*filter
:INPUT DROP [100331:10291286]
:FORWARD DROP [1:76]
:OUTPUT ACCEPT [17988:1407937]
……
奇怪你的INPUT都DROP了为何还是0:0,或许我理解的不对。
自动封IP的方法可以参考我的另外一篇:
[url]http://bbs.bitscn.com/54400[/url]
第七楼的是最终版本,不过你也可以借鉴一下前面的,这样能看得明白些。 其中 /var/log/messages日志
May 21 05:20:10 dataservice kernel: 4 pages swap cached
May 21 05:20:10 dataservice kernel: Out of Memory: Killed process 21703 (httpd).
[color=red]May 21 09:19:06 dataservice sshd(pam_unix)[23094]: session opened for user root by root(uid=0)[/color]
[color=red]May 21 10:24:21 dataservice sshd(pam_unix)[23249]: session opened for user root by (uid=0)[/color]
May 21 16:08:45 dataservice kernel: oom-killer: gfp_mask=0xd0
May 21 16:08:45 dataservice kernel: Mem-info:
红色的两行是什么意思?! root用户执行了某个session,似乎是sshd启动?
这个应该没什么问题,如果你chkconfig能看到sshd属于默认启动服务的话。 谢谢!:loveliness: :loveliness: :loveliness: :loveliness:
页:
[1]