今天登录服务器一看,好家伙:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
tcp        0      0 198.74.121.150:80           38.103.160.12:33873         TIME_WAIT   -                   
tcp 0 0 198.74.121.150:80 38.103.160.12:45654 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:49337 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:35410 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:53982 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:55487 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:38964 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:39560 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:51861 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:60211 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:38490 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:48588 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:51625 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:47497 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:40164 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:42071 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:49687 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:59726 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:52097 TIME_WAIT -
tcp 0 0 198.74.121.150:80 38.103.160.12:46378 TIME_WAIT -

这尼玛绝对是非正常现象,想查看各个链接状态可以用下面的语句

1
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'

结果如下:

1
TIME_WAIT 10968

我就呵呵了,看了一下这个ip,米国的,发现blocklist上面这个IP也上榜了

1
2
3
4
5
6
7
8
9
10
11
12
Date +-1 Min +0100:	Host:	                    Service:	    On Server:	        to:	Status:
15.11.2014 15:00:54 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
15.11.2014 12:00:51 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
14.11.2014 21:07:00 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
14.11.2014 18:05:50 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot 1 x blocked
12.11.2014 06:04:33 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
12.11.2014 03:07:11 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
12.11.2014 00:10:14 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
11.11.2014 21:10:53 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
11.11.2014 18:09:53 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
11.11.2014 15:05:37 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot blocked
11.11.2014 12:08:18 cpanel2.ospdx.com bruteforcelogin hacked-joomla/brobot 1 x blocked

没啥说的,直接封IP吧,执行
iptables -I INPUT -s ***.***.***.*** -j DROP

如果想解封某ip,把I换成D即可。

最后,可以使用
iptables --list
查看当前规则列表。