Debian 8.6上的Ghost NTP服务器

16

因此,我和大学的IT安全团队一直在不停地走来走去...任何人对此都有任何想法:

我最近为我的实验室设置了一台小型文件服务器,在专用计算机上运行Debian 8.6(英特尔Avoton C2550处理器,很乐意在需要时提供更多硬件信息,但我认为没有必要)。Debian的安装没有任何问题,当时我还安装了Samba,NTP,ZFS和python。看起来一切正常,所以我让它在实验室的角落坐了几个星期。

大约两周前,我收到了IT团队的电子邮件,其中说我的服务器已“受损”,并且易受NTP放大/ DDoS攻击(使用CVE-2013-5211的NTP放大攻击,如https中所述)使用: //www.us-cert.gov/ncas/alerts/TA14-013A)。他们指向的标志是端口123上有很多NTPv2流量。奇怪的是,他们标识为(*.*.*.233)的IP地址与为服务器配置并通过ifconfig(*.*.*.77)报告的IP地址不同。但是,一些基本的故障排除表明我的计算机确实在端口123上生成了此流量(如tcpdump所示)。

这就是怪异开始的地方。我首先浏览了为CVE-2013-5211推荐的“修复程序”(同时更新了版本4.2.7之后的NTP并禁用了monlist功能)。两者均未阻止交通流量。然后,我尝试通过IP表阻止UDP 123端口:

$ /sbin/iptables -A INPUT -o eth0 -p udp --destination-port 123 -j DROP
$ /sbin/iptables -A OUTPUT -o eth0 -p udp --destination-port 123 -j DROP

但这对流量也没有影响。我最终尝试从系统中清除NTP,但这对流量也没有影响。截至今天下午,nmap仍在报告:

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-19 16:15 EST
Nmap scan report for *.233
Host is up (0.0010s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist:
|   Public Servers (2)
|       50.116.52.97    132.163.4.101
|   Public Clients (39)
|       54.90.159.15    185.35.62.119   185.35.62.233   185.35.63.86
|       54.197.89.98    185.35.62.142   185.35.62.250   185.35.63.108
|       128.197.24.176  185.35.62.144   185.35.62.251   185.35.63.128
|       180.97.106.37   185.35.62.152   185.35.63.15    185.35.63.145
|       185.35.62.27    185.35.62.159   185.35.63.27    185.35.63.146
|       185.35.62.52    185.35.62.176   185.35.63.30    185.35.63.167
|       185.35.62.65    185.35.62.186   185.35.63.34    185.35.63.180
|       185.35.62.97    185.35.62.194   185.35.63.38    185.35.63.183
|       185.35.62.106   185.35.62.209   185.35.63.39    185.35.63.185
|_      185.35.62.117   185.35.62.212   185.35.63.43

由于NTP已从系统中清除了几周,所以这一切都很奇怪。

在这条道路上走到尽头之后,我开始考虑整个IP地址不匹配的问题。我的计算机似乎同时位于* .233和* .77 IP上(已通过在连接有以太网电缆的情况下成功ping通,并且在拔出电缆后都无法ping通),但是* .233从未出现在ifconfig中:

Link encap:Ethernet  HWaddr d0:XX:XX:51:78:XX  
inet addr:*.77  Bcast:*.255  Mask:255.255.255.0
inet6 addr: X::X:X:X:787a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:23023571 errors:0 dropped:1362 overruns:0 frame:0
TX packets:364849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:7441732389 (6.9 GiB)  TX bytes:44699444 (42.6 MiB)
Memory:df300000-df37ffff

/ etc / network / interfaces中没有引用* .233,因此我看不到此IP分配来自何处。

因此,我有两个可能相关的问题,希望有人能为我提供帮助:1)如何消除从服务器喷涌而来的NTP流量,以使IT摆脱困境?2)我的服务器正在使用的第二个IP地址是怎么回事,如何删除它?

谢谢,伙计们:)

更新:根据要求: $iptables -L -v -n

Chain INPUT (policy ACCEPT 57 packets, 6540 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 27 packets, 2076 bytes)
 pkts bytes target     prot opt in     out     source               destination

$ip addr ls

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether d0:50:99:51:78:7a brd ff:ff:ff:ff:ff:ff
    inet *.77/24 brd *.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet *.167/24 brd *.255 scope global secondary dynamic eth0
       valid_lft 24612sec preferred_lft 24612sec
    inet6 X::X:X:X:787a/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether d0:50:99:51:78:7b brd ff:ff:ff:ff:ff:ff

更新2:我没有提到,除了IP地址不匹配外,MAC ID也不匹配。这确实使我对流量是否确实来自我的计算机进行了三思。但是:(1)从网络上拔出服务器后,流量消失了;(2)移至其他网络端口,流量随之而来;(3)tcpdump port 123显示流量异常:

13:24:33.329514 IP cumm024-0701-dhcp-233.bu.edu.ntp > 183.61.254.77.44300: NTPv2, Reserved, length 440
13:24:33.329666 IP cumm024-0701-dhcp-233.bu.edu.ntp > 183.61.254.77.44300: NTPv2, Reserved, length 440
13:24:33.329777 IP cumm024-0701-dhcp-233.bu.edu.ntp > 183.61.254.77.44300: NTPv2, Reserved, length 296

更新3: $ss -uapn 'sport = :123'

State      Recv-Q Send-Q                  Local Address:Port                    Peer Address:Port

(即无)

$sudo cat /proc/net/dev

Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
    lo:  327357    5455    0    0    0     0          0         0   327357    5455    0    0    0     0       0          0
  eth1:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth0: 13642399917 36270491    0 6522    0     0          0   2721337 45098276  368537    0    0    0     0       0          0

更新4:这些数据包是几天前的典型数据。今天(但是,仍然很高):

20:19:37.011762 IP cumm024-0701-dhcp-233.bu.edu.ntp > 103.56.63.147.26656: NTPv2, Reserved, length 152
20:19:37.011900 IP cumm024-0701-dhcp-233.bu.edu.ntp > 202.83.122.78.58066: NTPv2, Reserved, length 152
20:19:37.012036 IP cumm024-0701-dhcp-233.bu.edu.ntp > 103.56.63.147.17665: NTPv2, Reserved, length 152
20:19:37.014539 IP cumm024-0701-dhcp-233.bu.edu.ntp > 202.83.122.78.27945: NTPv2, Reserved, length 152
20:19:37.015482 IP cumm024-0701-dhcp-233.bu.edu.ntp > 202.83.122.78.42426: NTPv2, Reserved, length 152
20:19:37.015644 IP cumm024-0701-dhcp-233.bu.edu.ntp > 103.56.63.147.16086: NTPv2, Reserved, length 152

$ sudo ss -uapn '( sport = :42426 or dport = :42426 )'
State       Recv-Q Send-Q                                                        Local Address:Port                                                          Peer Address:Port

是的,我可以ping * .233 IP:

$ping 128.197.112.233
PING 128.197.112.233 (128.197.112.233) 56(84) bytes of data.
64 bytes from 128.197.112.233: icmp_seq=1 ttl=64 time=0.278 ms
64 bytes from 128.197.112.233: icmp_seq=2 ttl=64 time=0.282 ms
64 bytes from 128.197.112.233: icmp_seq=3 ttl=64 time=0.320 ms

不,MAC不匹配我的硬件MAC地址是:d0:50:99:51:78:7a流量与MAC相关联:bc:5f:f4:fe:a1:00

更新5:根据要求,对* .233进行端口扫描:

Starting Nmap 6.00 ( http://nmap.org ) at 2016-12-20 20:38 EET
NSE: Loaded 17 scripts for scanning.
Initiating SYN Stealth Scan at 20:38
Scanning cumm024-0701-dhcp-233.bu.edu (128.197.112.233) [1024 ports]
Discovered open port 22/tcp on 128.197.112.233
Completed SYN Stealth Scan at 20:38, 9.79s elapsed (1024 total ports)
Initiating Service scan at 20:38
Scanning 1 service on cumm024-0701-dhcp-233.bu.edu (128.197.112.233)
Completed Service scan at 20:38, 0.37s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against cumm024-0701-dhcp-233.bu.edu (128.197.112.233)
Initiating Traceroute at 20:38
Completed Traceroute at 20:38, 0.10s elapsed
NSE: Script scanning 128.197.112.233.

[+] Nmap scan report for cumm024-0701-dhcp-233.bu.edu (128.197.112.233)
Host is up (0.083s latency).
Not shown: 1013 filtered ports

PORT    STATE  SERVICE VERSION
21/tcp  closed ftp
22/tcp  open   ssh     OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
23/tcp  closed telnet
25/tcp  closed smtp
43/tcp  closed whois
80/tcp  closed http
105/tcp closed unknown
113/tcp closed ident
210/tcp closed z39.50
443/tcp closed https
554/tcp closed rtsp

Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: DD-WRT v24-sp2 (Linux 2.6.19)
Uptime guess: 45.708 days (since Sat Nov  5 03:39:36 2016)
Network Distance: 9 hops
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel


TRACEROUTE (using port 25/tcp)
HOP RTT      ADDRESS
1   0.95 ms  router1-lon.linode.com (212.111.33.229)
2   0.70 ms  109.74.207.0
3   1.09 ms  be4464.ccr21.lon01.atlas.cogentco.com (204.68.252.85)
4   1.00 ms  be2871.ccr42.lon13.atlas.cogentco.com (154.54.58.185)
5   63.45 ms be2983.ccr22.bos01.atlas.cogentco.com (154.54.1.178)
6   63.60 ms TrusteesOfBostonUniversity.demarc.cogentco.com (38.112.23.118)
7   63.55 ms comm595-core-res01-gi2-3-cumm111-bdr-gw01-gi1-2.bu.edu (128.197.254.125)
8   63.61 ms cumm024-dist-aca01-gi5-2-comm595-core-aca01-gi2-2.bu.edu (128.197.254.206)
9   90.28 ms cumm024-0701-dhcp-233.bu.edu (128.197.112.233)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.73 seconds
           Raw packets sent: 557 (25.462KB) | Rcvd: 97 (8.560KB)

并在UDP上:

Starting Nmap 6.00 ( http://nmap.org ) at 2016-12-20 20:44 EET
NSE: Loaded 17 scripts for scanning.
Initiating Ping Scan at 20:44
Scanning 128.197.112.233 [4 ports]
Completed Ping Scan at 20:44, 1.10s elapsed (1 total hosts)
Initiating UDP Scan at 20:44
Scanning cumm024-0701-dhcp-233.bu.edu (128.197.112.233) [1024 ports]
Completed UDP Scan at 20:44, 6.31s elapsed (1024 total ports)
Initiating Service scan at 20:44
Scanning 1024 services on cumm024-0701-dhcp-233.bu.edu (128.197.112.233)
Service scan Timing: About 0.39% done
Service scan Timing: About 3.12% done; ETC: 22:12 (1:25:46 remaining)
Service scan Timing: About 6.05% done; ETC: 21:53 (1:04:39 remaining)
Service scan Timing: About 8.98% done; ETC: 21:46 (0:56:03 remaining)
Discovered open port 123/udp on 128.197.112.233
Discovered open|filtered port 123/udp on cumm024-0701-dhcp-233.bu.edu (128.197.112.233) is actually open
Completed Service scan at 21:31, 2833.50s elapsed (1024 services on 1 host)
Initiating OS detection (try #1) against cumm024-0701-dhcp-233.bu.edu (128.197.112.233)
Retrying OS detection (try #2) against cumm024-0701-dhcp-233.bu.edu (128.197.112.233)
NSE: Script scanning 128.197.112.233.
Initiating NSE at 21:31
Completed NSE at 21:31, 10.02s elapsed

[+] Nmap scan report for cumm024-0701-dhcp-233.bu.edu (128.197.112.233)
Host is up (0.089s latency).
Not shown: 1023 open|filtered ports

PORT    STATE SERVICE VERSION
123/udp open  ntp?

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port123-UDP:V=6.00%I=7%D=12/20%Time=58597D5C%P=x86_64-unknown-linux-gnu
SF:%r(NTPRequest,30,"\xe4\x02\x04\xee\0\0\x8a\xff\0:t\xd9\x84\xa3\x04e\xdb
SF:\xcaeEX\xdbC'\xc5O#Kq\xb1R\xf3\xdc\x03\xfb\xb8\+>U\xab\xdc\x03\xfb\xb8\
SF:+T\xd1\xe9")%r(Citrix,C,"\xde\xc0\x010\x02\0\xa8\xe3\0\0\0\0");

Too many fingerprints match this host to give specific OS details
Network Distance: 9 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 2863.89 seconds
           Raw packets sent: 175 (6.720KB) | Rcvd: 50 (10.088KB)
debian  ip  network-interface  tcpdump  ntp 
蒂姆·奥奇(Tim Otchy)
source
3
听起来您的机器已经受到威胁,并试图隐藏这一事实。iptables -L -v -n和的完整输出是什么ip addr ls
Mark Wagner
2
@TimOtchy需要说明的是,当断开与​​服务器的以太网电缆连接时,是在服务器背面还是在交换机上进行操作?您是否有备用交换机,并且可以将以太网电缆从服务器连接到交换机,但没有其他(电源除外)插入交换机。想法是在服务器上启用链接,但以其他方式隔离该链接,然后查看* 233是否可访问。
icarus
3
在给定(server-> switch no_connection LAN)的情况下,您可以从服务器ping通和(server no_connection LAN),并且只能从服务器ping * .77,我认为我们可以得出结论,服务器也正在服务* .233。下一个问题,“服务器”是“大”框吗?我认为它可能具有单独的机箱管理CPU,或者它是x86设备并具有内置的监视设备。我倾向于对* .233运行完整的端口扫描,看看打开了哪些端口。
icarus
2
请参阅en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface,这是一个独立的CPU,与主CPU,BIOS或主OS无关。
icarus
2
看起来该修复程序应该针对正在运行ssh(以及nmap猜测的Linux)的BMC(IPMI)处理器。Asrock网站上已安装了自2016年3月23日起的软件,但我想那无济于事。我的想法是查看是否可以使用* 233地址。我猜想您可能需要在BMC选项下的BIOS设置中设置用户名和密码???
icarus

Answers:

12

这是带有IPMI的服务器类计算机。导致问题的“ ghost” NTP服务器在系统的BMC处理器而非主CPU上运行。

伊卡洛斯
source
刚通过24小时,就没有来自此mac / IP的任何新NTP流量。绝对是BMC处理器运行的固件版本非常旧,并且使用NTP程序包仍然容易受到放大漏洞的攻击。感谢您为解决此问题提供的所有帮助!
蒂姆·奥奇
8

如前所述,您的IPMI BMC可能是问题所在。如果无法访问IPMI界面的Web界面或ssh界面,则可以尝试在Debian安装中使用IPMI工具获得访问权限:

apt install ipmitool

安装完成后,您可以像这样将命令传递给BMC(如果它在端口1上):

ipmitool lan set 1 ipaddr 192.168.1.211

这是使用IPMITool进行IPMI网络配置的资源。 man ipmitool如果被卡住,总是一本好书...

如果需要,此页面包含有关重置BMC的信息。

祝好运!

问号
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.