NETWORK LAYERS
Application eg.ssh
Transport UDP,TCP
Internet Packets
Link Ethernet
*) To show up all interface and info execute ip addr show
----------------------------------
rahul@rahul-Inspiron-3542:~$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 74:e6:e2:00:24:53 brd ff:ff:ff:ff:ff:ff
----------------------------------
*) To show information about an interface execute ip -s link show l0
----------------------------------
rahul@rahul-Inspiron-3542:~$ ip -s link show lo
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
99038 1256 0 0 0 0
TX: bytes packets errors dropped carrier collsns
99038 1256 0 0 0 0
----------------------------------
*) To see the routing table'' ip route show
----------------------------------
rahul@rahul-Inspiron-3542:~$ ip route show
default via 192.168.1.1 dev wlp6s0 proto static metric 600
192.168.1.0/24 dev wlp6s0 proto kernel scope link src 192.168.1.121 metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
====================================================================
Ip routing
=======
Adding and Removing a null route
How to add a null route
In our example we are receiving unwanted SSH login attempts from 192.168.0.195
root@server:~# netstat -na | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED
To add the null route we will use the ip command
root@server:~# ip route add blackhole 192.168.0.195/32
To verify the route is in place will will use ip rounewinitialserversetup.shte show
root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100
blackhole 192.168.0.195
After a little while the established ssh connections will time out and all subsequent connections from the blocked ip will receive the following.
baduser@attacker:~$ ssh 192.168.0.197
ssh: connect to host 192.168.0.197 port 22: No route to host
Removing a null route
After the attack has subsided or in case you add the wrong ip you may want to remove the blackhole route. To do so we will use the ip command again.
root@server:~# ip route del 192.168.0.195
root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100
=================
3. null route
I believed above 3 IPs are the root cause of the high load issue, let null route those IPs, so that all incoming connections from those 3 IPs will be dropped or ignored.
null route command
route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo
Alternative Command
You can also use following command to null route the IPs, both are doing the same thing.
route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject
Uses netstat -nr to display all the routes, to make sure it is added into the route table.
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
114.198.236.100 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
120.63.179.245 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
122.163.226.243 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
Done, wait few seconds, and check the server load again, it’s back to normal now.
#top
ip route add {NETWORK} via {IP} dev {DEVICE}
For example network 192.168.55.0/24 available via 192.168.1.254:
# ip route add 192.168.55.0/24 via 192.168.1.254 dev eth1
Alternatively, you can use old good route command:
# route add -net 192.168.55.0 netmask 255.255.255.0 gw 192.168.1.254 dev eth1
rahul@rahul-Inspiron-3542:~$ nmcli con show
NAME UUID TYPE DEVICE
Manga 86fb52de-3cf9-42ec-af18-a044892fda9e 802-11-wireless wlp6s0
virbr0 c478adf7-36fa-49e7-84bb-73f85f1aef23 bridge virbr0
Wired connection 1 95aa4a5b-f13e-31b5-a1ed-3bfbce1130c1 802-3-ethernet --
rahul@rahul-Inspiron-3542:~$ nmcli con show --active
NAME UUID TYPE DEVICE
Manga 86fb52de-3cf9-42ec-af18-a044892fda9e 802-11-wireless wlp6s0
virbr0 c478adf7-36fa-49e7-84bb-73f85f1aef23 bridge virbr0
rahul@rahul-Inspiron-3542:~$ nmcli con show "Manga"
connection.id: Manga
connection.uuid: 86fb52de-3cf9-42ec-af18-a044892fda9e
connection.interface-name: --
connection.type: 802-11-wireless
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.timestamp: 1495572108
connection.read-only: no
connection.permissions:
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries:
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: -1 (default)
802-11-wireless.ssid: Manga
802-11-wireless.mode: infrastructure
802-11-wireless.band: --
802-11-wireless.channel: 0
802-11-wireless.bssid: --
802-11-wireless.rate: 0
802-11-wireless.tx-power: 0
802-11-wireless.mac-address: B0:10:41:92:67:97
802-11-wireless.cloned-mac-address: --
802-11-wireless.mac-address-blacklist:
Define a connection named static which will autoconnect to ethernet
nmcli con add con-name "static" type ethernet ifname eth0
Create a new connection named default and do not auto connect , give ip address and gateway
nmcli con add con-name default type ethernet ifname eth0 autoconnect no ip4 172.x.x.1 gw4 172.x.x.2
turn off auto connect in static
nmcli con show static
nmcli con mod static connection.autoconnect no
in nmcli mod +/- is used to add or remove settings
to activate the changes nmcli con up static
Application eg.ssh
Transport UDP,TCP
Internet Packets
Link Ethernet
*) To show up all interface and info execute ip addr show
----------------------------------
rahul@rahul-Inspiron-3542:~$ ip addr show
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0:
link/ether 74:e6:e2:00:24:53 brd ff:ff:ff:ff:ff:ff
----------------------------------
*) To show information about an interface execute ip -s link show l0
----------------------------------
rahul@rahul-Inspiron-3542:~$ ip -s link show lo
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
99038 1256 0 0 0 0
TX: bytes packets errors dropped carrier collsns
99038 1256 0 0 0 0
----------------------------------
*) To see the routing table'' ip route show
----------------------------------
rahul@rahul-Inspiron-3542:~$ ip route show
default via 192.168.1.1 dev wlp6s0 proto static metric 600
192.168.1.0/24 dev wlp6s0 proto kernel scope link src 192.168.1.121 metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
----------------------------------
To see the active listening connection instead with netstat
*) ss -tl
___________________________________________________
ahul@rahul-Inspiron-3542:~$ ss -tl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:5900 *:*
LISTEN 0 5 192.168.122.1:domain *:*
LISTEN 0 5 127.0.1.1:domain *:*
LISTEN 0 5 127.0.0.1:ipp *:*
LISTEN 0 5 ::1:ipp :::*
___________________________________________________
====================================================================
Ip routing
=======
Adding and Removing a null route
How to add a null route
In our example we are receiving unwanted SSH login attempts from 192.168.0.195
root@server:~# netstat -na | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED
To add the null route we will use the ip command
root@server:~# ip route add blackhole 192.168.0.195/32
To verify the route is in place will will use ip rounewinitialserversetup.shte show
root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100
blackhole 192.168.0.195
After a little while the established ssh connections will time out and all subsequent connections from the blocked ip will receive the following.
baduser@attacker:~$ ssh 192.168.0.197
ssh: connect to host 192.168.0.197 port 22: No route to host
Removing a null route
After the attack has subsided or in case you add the wrong ip you may want to remove the blackhole route. To do so we will use the ip command again.
root@server:~# ip route del 192.168.0.195
root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100
=================
3. null route
I believed above 3 IPs are the root cause of the high load issue, let null route those IPs, so that all incoming connections from those 3 IPs will be dropped or ignored.
null route command
route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo
Alternative Command
You can also use following command to null route the IPs, both are doing the same thing.
route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject
Uses netstat -nr to display all the routes, to make sure it is added into the route table.
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
114.198.236.100 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
120.63.179.245 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
122.163.226.243 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
Done, wait few seconds, and check the server load again, it’s back to normal now.
#top
ip route add {NETWORK} via {IP} dev {DEVICE}
For example network 192.168.55.0/24 available via 192.168.1.254:
# ip route add 192.168.55.0/24 via 192.168.1.254 dev eth1
Alternatively, you can use old good route command:
# route add -net 192.168.55.0 netmask 255.255.255.0 gw 192.168.1.254 dev eth1
rahul@rahul-Inspiron-3542:~$ nmcli con show
NAME UUID TYPE DEVICE
Manga 86fb52de-3cf9-42ec-af18-a044892fda9e 802-11-wireless wlp6s0
virbr0 c478adf7-36fa-49e7-84bb-73f85f1aef23 bridge virbr0
Wired connection 1 95aa4a5b-f13e-31b5-a1ed-3bfbce1130c1 802-3-ethernet --
rahul@rahul-Inspiron-3542:~$ nmcli con show --active
NAME UUID TYPE DEVICE
Manga 86fb52de-3cf9-42ec-af18-a044892fda9e 802-11-wireless wlp6s0
virbr0 c478adf7-36fa-49e7-84bb-73f85f1aef23 bridge virbr0
rahul@rahul-Inspiron-3542:~$ nmcli con show "Manga"
connection.id: Manga
connection.uuid: 86fb52de-3cf9-42ec-af18-a044892fda9e
connection.interface-name: --
connection.type: 802-11-wireless
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.timestamp: 1495572108
connection.read-only: no
connection.permissions:
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries:
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: -1 (default)
802-11-wireless.ssid: Manga
802-11-wireless.mode: infrastructure
802-11-wireless.band: --
802-11-wireless.channel: 0
802-11-wireless.bssid: --
802-11-wireless.rate: 0
802-11-wireless.tx-power: 0
802-11-wireless.mac-address: B0:10:41:92:67:97
802-11-wireless.cloned-mac-address: --
802-11-wireless.mac-address-blacklist:
rahul@rahul-Inspiron-3542:~$ nmcli dev status
DEVICE TYPE STATE CONNECTION
virbr0 bridge connected virbr0
wlp6s0 wifi connected Manga
enp7s0 ethernet unavailable --
lo loopback unmanaged --
virbr0-nic tun unmanaged --
rahul@rahul-Inspiron-3542:~$ nmcli dev show virbr0
GENERAL.DEVICE: virbr0
GENERAL.TYPE: bridge
GENERAL.HWADDR: 00:00:00:00:00:00
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: virbr0
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]: 192.168.122.1/24
IP4.GATEWAY:
IP6.GATEWAY:
Define a connection named static which will autoconnect to ethernet
nmcli con add con-name "static" type ethernet ifname eth0
Create a new connection named default and do not auto connect , give ip address and gateway
nmcli con add con-name default type ethernet ifname eth0 autoconnect no ip4 172.x.x.1 gw4 172.x.x.2
turn off auto connect in static
nmcli con show static
nmcli con mod static connection.autoconnect no
in nmcli mod +/- is used to add or remove settings
to activate the changes nmcli con up static
Comments
Post a Comment