Vous n'êtes pas identifié(e).
Pages : 1
Hors ligne
Derrière l'openvpn, j'ai un NAS synology qui gère mes mails avec mailsplus server.
Que signifie exactement "derrière" ? Quelle est la topologie du réseau depuis internet jusqu'au NAS, VPN compris ? Y a-t-il du NAT, de la redirection de port ?
je reçois des tentatives d'intrusions sans cesse en brute force.
Quel genre de tentatives ?
Malgré des commandes iptables, de nouvelles adresses reviennent à nouveau.
Pas étonnant, ce genre d'attaque par force brute provient souvent de nombreuses machines en botnet.
J'ai donc utilisé tcpdump pour voir le traffic sur le port 25
Sur quelle machine ? Dans quel but ? Que cherches-tu à voir dans le traffic SMTP ?
Est-il possible d'après vous de voir uniquement les connexions du port 25 qui sortent du VPN pour rejoindre le NAS ?
Peux pas répondre sans connaître la topologie du réseau.
Dernière modification par raleur (02-01-2022 13:44:18)
Il vaut mieux montrer que raconter.
Hors ligne
2022-01-02 15:06:03.789578 IP 212.70.149.89.45418 > monIP.25: Flags [.], ack 80, win 30, options [nop,nop,TS val 3124041279 ecr 893984806], length 0
2022-01-02 15:06:03.903083 IP 87.246.7.246.10184 > monIP.25: Flags [P.], seq 1:12, ack 36, win 29, options [nop,nop,TS val 3360871993 ecr 893983541], length 11: SMTP: EHLO User
2022-01-02 15:06:03.927280 IP monIP.25 > 87.246.7.246.10184: Flags [.], ack 12, win 227, options [nop,nop,TS val 893985021 ecr 3360871993], length 0
2022-01-02 15:06:03.927482 IP monIP.25 > 87.246.7.246.10184: Flags [P.], seq 36:223, ack 12, win 227, options [nop,nop,TS val 893985021 ecr 3360871993], length 187: SMTP: 250-monmail.com
2022-01-02 15:06:03.964532 IP 87.246.7.246.10184 > monIP.25: Flags [.], ack 223, win 30, options [nop,nop,TS val 3360872055 ecr 893985021], length 0
2022-01-02 15:06:04.209853 IP 87.246.7.229.57718 > monIP.25: Flags [F.], seq 7, ack 80, win 30, options [nop,nop,TS val 766048363 ecr 893984035], length 0
2022-01-02 15:06:04.236959 IP monIP.25 > 87.246.7.229.57718: Flags [.], ack 8, win 227, options [nop,nop,TS val 893985329 ecr 766048363], length 0
2022-01-02 15:06:04.573393 IP 87.246.7.229.44984 > 185.44.81.88.25: Flags , seq 2686308847, win 29200, options [mss 1460,sackOK,TS val 766048360 ecr 0,nop,wscale 10], length 0
2022-01-02 15:06:04.973148 IP 212.70.149.57.17518 > 45.90.162.62.25: Flags , seq 973546904, win 29200, options [mss 1460,sackOK,TS val 3123505384 ecr 0,nop,wscale 10], length 0
2022-01-02 15:06:05.120845 IP 50.18.218.52.12173 > monIP.25: Flags , seq 4013490169, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3700626343 ecr 0], length 0
2022-01-02 15:06:05.193958 IP monIP.25 > 50.18.218.52.12173: Flags [S.], seq 14377691, ack 4013490170, win 28960, options [mss 1261,sackOK,TS val 893986239 ecr 3700626343,nop,wscale 7], length 0
2022-01-02 15:06:05.327320 IP 212.70.149.89.45418 > monIP.25: Flags [F.], seq 7, ack 80, win 30, options [nop,nop,TS val 3124042816 ecr 893984806], length 0
2022-01-02 15:06:05.340046 IP 50.18.218.52.12173 > monIP.25: Flags [.], ack 1, win 1024, options [nop,nop,TS val 3700626562 ecr 893986239], length 0
2022-01-02 15:06:05.351923 IP monIP.25 > 212.70.149.89.45418: Flags [.], ack 8, win 227, options [nop,nop,TS val 893986445 ecr 3124042816], length 0
2022-01-02 15:06:05.403978 IP 87.246.7.246.10184 > monIP.25: Flags [P.], seq 12:18, ack 223, win 30, options [nop,nop,TS val 3360873494 ecr 893985021], length 6: SMTP: RSET
2022-01-02 15:06:05.405778 IP monIP.25 > 50.18.218.52.12173: Flags [P.], seq 1:36, ack 1, win 227, options [nop,nop,TS val 893986497 ecr 3700626562], length 35: SMTP: 220 monmail.com ESMTP Postfix
2022-01-02 15:06:05.430409 IP monIP.25 > 87.246.7.246.10184: Flags [P.], seq 223:237, ack 18, win 227, options [nop,nop,TS val 893986523 ecr 3360873494], length 14: SMTP: 250 2.0.0 Ok
2022-01-02 15:06:05.467431 IP 87.246.7.246.10184 > monIP.25: Flags [.], ack 237, win 30, options [nop,nop,TS val 3360873558 ecr 893986523], length 0
2022-01-02 15:06:05.551937 IP 50.18.218.52.12173 > monIP.25: Flags [P.], seq 1:25, ack 36, win 1024, options [nop,nop,TS val 3700626772 ecr 893986497], length 24: SMTP: EHLO forums.openvpn.in
2022-01-02 15:06:05.576677 IP monIP.25 > 50.18.218.52.12173: Flags [.], ack 25, win 227, options [nop,nop,TS val 893986670 ecr 3700626772], length 0
2022-01-02 15:06:05.577730 IP monIP.25 > 50.18.218.52.12173: Flags [P.], seq 36:223, ack 25, win 227, options [nop,nop,TS val 893986671 ecr 3700626772], length 187: SMTP: 250-monmail.com
2022-01-02 15:06:05.643309 IP 87.246.7.229.44984 > 185.44.81.88.25: Flags , seq 2686308847, win 29200, options [mss 1460,sackOK,TS val 766049362 ecr 0,nop,wscale 10], length 0
2022-01-02 15:06:05.725714 IP 50.18.218.52.12173 > monIP.25: Flags [P.], seq 25:164, ack 223, win 1024, options [nop,nop,TS val 3700626941 ecr 893986671], length 139: SMTP: MAIL FROM:<www@forums.openvpn.in> SIZE=1828 BODY=8BITMIME
2022-01-02 15:06:05.790462 IP monIP.25 > 50.18.218.52.12173: Flags [.], ack 164, win 235, options [nop,nop,TS val 893986885 ecr 3700626941], length 0
2022-01-02 15:06:05.913662 IP monIP.25 > 50.18.218.52.12173: Flags [P.], seq 223:288, ack 164, win 235, options [nop,nop,TS val 893987006 ecr 3700626941], length 65: SMTP: 250 2.1.0 Ok
2022-01-02 15:06:06.059911 IP 50.18.218.52.12173 > monIP.25: Flags [.], seq 164:1413, ack 288, win 1024, options [nop,nop,TS val 3700627282 ecr 893987006], length 1249: SMTP: Received: by forums.openvpn.in (Postfix, from userid 80)
2022-01-02 15:06:06.060370 IP 50.18.218.52.12173 > monIP.25: Flags [P.], seq 1413:2001, ack 288, win 1024, options [nop,nop,TS val 3700627282 ecr 893987006], length 588: SMTP: /forums.openvpn.net/viewtopic.php?f=24&t=33509&e=1&view=unread#unread
2022-01-02 15:06:06.087082 IP monIP.25 > 50.18.218.52.12173: Flags [.], ack 1413, win 258, options [nop,nop,TS val 893987180 ecr 3700627282], length 0
2022-01-02 15:06:06.087302 IP monIP.25 > 50.18.218.52.12173: Flags [.], ack 2001, win 277, options [nop,nop,TS val 893987180 ecr 3700627282], length 0
2022-01-02 15:06:06.592088 IP monIP.25 > 50.18.218.52.12173: Flags [P.], seq 288:340, ack 2001, win 277, options [nop,nop,TS val 893987685 ecr 3700627282], length 52: SMTP: 250 2.0.0 Ok: queued as 7F609258FC8
2022-01-02 15:06:06.592526 IP monIP.25 > 50.18.218.52.12173: Flags [F.], seq 340, ack 2001, win 277, options [nop,nop,TS val 893987686 ecr 3700627282], length 0
2022-01-02 15:06:06.738292 IP 50.18.218.52.12173 > monIP.25: Flags [F.], seq 2001, ack 340, win 1024, options [nop,nop,TS val 3700627952 ecr 893987685], length 0
2022-01-02 15:06:06.738783 IP 50.18.218.52.12173 > monIP.25: Flags [F.], seq 2001, ack 341, win 1024, options [nop,nop,TS val 3700627952 ecr 893987686], length 0
2022-01-02 15:06:06.765454 IP monIP.25 > 50.18.218.52.12173: Flags [.], ack 2002, win 277, options [nop,nop,TS val 893987856 ecr 3700627952], length 0
2022-01-02 15:06:06.907421 IP 87.246.7.246.10184 > monIP.25: Flags [P.], seq 18:30, ack 237, win 30, options [nop,nop,TS val 3360874997 ecr 893986523], length 12: SMTP: AUTH LOGIN
2022-01-02 15:06:06.933605 IP monIP.25 > 87.246.7.246.10184: Flags [P.], seq 237:255, ack 30, win 227, options [nop,nop,TS val 893988027 ecr 3360874997], length 18: SMTP: 334 VXNlcm5hbWU6
2022-01-02 15:06:06.970630 IP 87.246.7.246.10184 > monIP.25: Flags [.], ack 255, win 30, options [nop,nop,TS val 3360875061 ecr 893988027], length 0
2022-01-02 15:06:07.329927 IP monIP.25 > 212.70.149.57.17276: Flags [P.], seq 1:65, ack 22, win 227, options [nop,nop,TS val 893988424 ecr 3123502335], length 64: SMTP: 535 5.7.8 Error: authentication failed: authentication failure
2022-01-02 15:06:07.368557 IP 212.70.149.57.17276 > monIP.25: Flags [.], ack 65, win 30, options [nop,nop,TS val 3123508168 ecr 893988424], length 0
2022-01-02 15:06:07.554464 IP 87.246.7.229.44984 > 185.44.81.88.25: Flags seq 2686308847, win 29200, options [mss 1460,sackOK,TS val 766051368 ecr 0,nop,wscale 10], length 0
3 - Ce sont des botnet je pense, mais avec des commandes iptables, j'ai pu en stopper quelques uns, également des pays entier. L'idée serait de filtrer les nouvelles IP qui réapparaissent, le temps de sécuriser mon réseau.
4 - L'openvpn ouvre les ports sur mon user (mon NAS connecté en VPN en 10.0.0.50, (IP fixe que j'ai mis en paramétrage de l'openvpn)), l'idée serait de pouvoir filtrer uniquement ceux qui se dirigent vers celui ci. Cela me permettrait de trouver dans tout ce log, que les nouvelles IP à bannir....
Hors ligne
Les ports sont retransmis de la façon suivante
Par des règles iptables DNAT de redirection de port ?
tcpdump -n -tttt -i eth0 port 25 -c 300000
Si tcpdump est exécuté sur le VPS et eth0 est l'interface réseau côté internet, alors il capture aussi les paquets reçus qui vont être bloqués par iptables. Si tu ne veux capturer que les paquets qui vont dans le VPN, il faut lancer tcpdump sur l'interface tun du VPN.
Dernière modification par raleur (02-01-2022 15:41:01)
Il vaut mieux montrer que raconter.
Hors ligne
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 86:a5:cd:44:0e:7e brd ff:ff:ff:ff:ff:ff
altname enp0s18
altname ens18
inet MONIP/27 brd 45.90.162.127 scope global eth0
valid_lft forever preferred_lft forever
inet6 2a0c****************fe44:e7e/64 scope global dynamic mngtmpaddr
valid_lft 2591579sec preferred_lft 604379sec
inet6 fe80::84a5************:e7e/64 scope link
valid_lft forever preferred_lft forever
3: as0t0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 200
link/none
inet 172.27.224.1/24 scope global as0t0
valid_lft forever preferred_lft forever
inet6 fe80::5639:8019:3cc8:ba6c/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Hors ligne
Je n'ai pas d'interface tun, si je fait un ip a, j'ai :
Ce doit être as0t0.
Il vaut mieux montrer que raconter.
Hors ligne
root@monmail:~# tcpdump -n -i as0t0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on as0t0, link-type RAW (Raw IP), snapshot length 262144 bytes
17:01:18.403645 IP 10.0.0.50.25 > 172.27.224.1.31740: Flags [.], ack 410590880, win 227, options [nop,nop,TS val 900899407 ecr 3367786373], length 0
17:01:18.519032 IP 172.27.224.1.59593 > 10.0.0.50.25: Flags [P.], seq 2272927321:2272927335, ack 1860571104, win 490, options [nop,nop,TS val 7487331 ecr 900898541], length 14: SMTP: ZGlyZWN0b3I=
17:01:18.547639 IP 10.0.0.50.25 > 172.27.224.1.59593: Flags [P.], seq 1:19, ack 14, win 227, options [nop,nop,TS val 900899563 ecr 7487331], length 18: SMTP: 334 UGFzc3dvcmQ6
17:01:18.674188 IP 172.27.224.1.59593 > 10.0.0.50.25: Flags [.], ack 19, win 490, options [nop,nop,TS val 7487486 ecr 900899563], length 0
17:01:19.008070 IP 172.27.224.1.9492 > 10.0.0.50.25: Flags [P.], seq 1682629658:1682629664, ack 420812126, win 30, options [nop,nop,TS val 3130956438 ecr 900898788], length 6: SMTP: QUIT
17:01:19.031850 IP 10.0.0.50.25 > 172.27.224.1.9492: Flags [.], ack 6, win 227, options [nop,nop,TS val 900900046 ecr 3130956438], length 0
17:01:19.032329 IP 10.0.0.50.25 > 172.27.224.1.9492: Flags [P.], seq 1:16, ack 6, win 227, options [nop,nop,TS val 900900047 ecr 3130956438], length 15: SMTP: 221 2.0.0 Bye
17:01:19.032535 IP 10.0.0.50.25 > 172.27.224.1.9492: Flags [F.], seq 16, ack 6, win 227, options [nop,nop,TS val 900900047 ecr 3130956438], length 0
17:01:19.069995 IP 172.27.224.1.9492 > 10.0.0.50.25: Flags [.], ack 16, win 30, options [nop,nop,TS val 3130956500 ecr 900900047], length 0
17:01:19.110826 IP 172.27.224.1.9492 > 10.0.0.50.25: Flags [.], ack 17, win 30, options [nop,nop,TS val 3130956540 ecr 900900047], length 0
17:01:19.120389 IP 172.27.224.1.59593 > 10.0.0.50.25: Flags [P.], seq 14:28, ack 19, win 490, options [nop,nop,TS val 7487932 ecr 900899563], length 14: SMTP: SmMtMDMxNDAw
17:01:19.203216 IP 10.0.0.50.25 > 172.27.224.1.59593: Flags [.], ack 28, win 227, options [nop,nop,TS val 900900216 ecr 7487932], length 0
17:01:19.284888 IP 172.27.224.1.33000 > 10.0.0.50.25: Flags [P.], seq 353298844:353298850, ack 339241731, win 30, options [nop,nop,TS val 772963400 ecr 900899006], length 6: SMTP: QUIT
17:01:19.323652 IP 10.0.0.50.25 > 172.27.224.1.33000: Flags [.], ack 6, win 227, options [nop,nop,TS val 900900332 ecr 772963400], length 0
17:01:19.325865 IP 10.0.0.50.25 > 172.27.224.1.33000: Flags [F.], seq 16, ack 6, win 227, options [nop,nop,TS val 900900333 ecr 772963400], length 0
17:01:19.327957 IP 10.0.0.50.25 > 172.27.224.1.33000: Flags [P.], seq 1:16, ack 6, win 227, options [nop,nop,TS val 900900333 ecr 772963400], length 15: SMTP: 221 2.0.0 Bye
17:01:19.362709 IP 172.27.224.1.33000 > 10.0.0.50.25: Flags [.], ack 1, win 30, options [nop,nop,TS val 772963478 ecr 900900332,nop,nop,sack 1 {16:17}], length 0
17:01:19.364678 IP 172.27.224.1.33000 > 10.0.0.50.25: Flags [.], ack 17, win 30, options [nop,nop,TS val 772963480 ecr 900900333], length 0
17:01:19.395508 IP 10.0.0.60.56831 > 46.101.121.10.4000: UDP, length 148
17:01:19.616418 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [P.], seq 3190272080:3190272086, ack 1583490606, win 30, options [nop,nop,TS val 3130420358 ecr 900899133], length 6: SMTP: RSET
17:01:19.648826 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [P.], seq 1:15, ack 6, win 227, options [nop,nop,TS val 900900664 ecr 3130420358], length 14: SMTP: 250 2.0.0 Ok
17:01:19.689311 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [.], ack 15, win 30, options [nop,nop,TS val 3130420431 ecr 900900664], length 0
17:01:20.593780 IP 172.27.224.1.33000 > 10.0.0.50.25: Flags [F.], seq 6, ack 17, win 30, options [nop,nop,TS val 772964709 ecr 900900333], length 0
17:01:20.620508 IP 10.0.0.50.25 > 172.27.224.1.33000: Flags [.], ack 7, win 227, options [nop,nop,TS val 900901636 ecr 772964709], length 0
17:01:20.687729 IP 172.27.224.1.9492 > 10.0.0.50.25: Flags [F.], seq 6, ack 17, win 30, options [nop,nop,TS val 3130958118 ecr 900900047], length 0
17:01:20.714734 IP 10.0.0.50.25 > 172.27.224.1.9492: Flags [.], ack 7, win 227, options [nop,nop,TS val 900901729 ecr 3130958118], length 0
17:01:21.163841 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [P.], seq 6:18, ack 15, win 30, options [nop,nop,TS val 3130421905 ecr 900900664], length 12: SMTP: AUTH LOGIN
17:01:21.218793 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [P.], seq 15:33, ack 18, win 227, options [nop,nop,TS val 900902234 ecr 3130421905], length 18: SMTP: 334 VXNlcm5hbWU6
17:01:21.258993 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [.], ack 33, win 30, options [nop,nop,TS val 3130422001 ecr 900902234], length 0
17:01:22.285214 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags , seq 63677662, win 29200, options [mss 1460,sackOK,TS val 3130959713 ecr 0,nop,wscale 10], length 0
17:01:22.327858 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags , seq 3848667127, ack 63677663, win 28960, options [mss 1261,sackOK,TS val 900903341 ecr 3130959713,nop,wscale 7], length 0
17:01:22.367526 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [.], ack 1, win 29, options [nop,nop,TS val 3130959796 ecr 900903341], length 0
17:01:22.410653 IP 10.0.0.50.60781 > 1.1.1.1.53: 18135+ PTR? 1.224.27.172.in-addr.arpa. (43)
17:01:22.413999 IP 1.1.1.1.53 > 10.0.0.50.60781: 18135 NXDomain 0/0/0 (43)
17:01:22.466540 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags [P.], seq 1:36, ack 1, win 227, options [nop,nop,TS val 900903478 ecr 3130959796], length 35: SMTP: 220 monmail.com ESMTP Postfix
17:01:22.506206 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [.], ack 36, win 29, options [nop,nop,TS val 3130959934 ecr 900903478], length 0
17:01:22.696451 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [P.], seq 18:48, ack 33, win 30, options [nop,nop,TS val 3130423438 ecr 900902234], length 30: SMTP: bnM5MkBzZXJ2ZXVyMjAwMC5jb20=
17:01:22.727996 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [P.], seq 33:51, ack 48, win 227, options [nop,nop,TS val 900903743 ecr 3130423438], length 18: SMTP: 334 UGFzc3dvcmQ6
17:01:22.768308 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [.], ack 51, win 30, options [nop,nop,TS val 3130423510 ecr 900903743], length 0
17:01:23.053089 IP 10.0.0.50.25 > 172.27.224.1.59593: Flags [P.], seq 19:83, ack 28, win 227, options [nop,nop,TS val 900904063 ecr 7487932], length 64: SMTP: 535 5.7.8 Error: authentication failed: authentication failure
17:01:23.179538 IP 172.27.224.1.59593 > 10.0.0.50.25: Flags [.], ack 83, win 490, options [nop,nop,TS val 7491992 ecr 900904063], length 0
17:01:23.727167 IP 172.27.224.1.59593 > 10.0.0.50.25: Flags [F.], seq 28, ack 83, win 490, options [nop,nop,TS val 7492540 ecr 900904063], length 0
17:01:23.774660 IP 10.0.0.50.25 > 172.27.224.1.59593: Flags [F.], seq 83, ack 29, win 227, options [nop,nop,TS val 900904790 ecr 7492540], length 0
17:01:23.901308 IP 172.27.224.1.59593 > 10.0.0.50.25: Flags [.], ack 84, win 490, options [nop,nop,TS val 7492714 ecr 900904790], length 0
17:01:23.954928 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [P.], seq 1:12, ack 36, win 29, options [nop,nop,TS val 3130961383 ecr 900903478], length 11: SMTP: EHLO User
17:01:23.980248 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags [.], ack 12, win 227, options [nop,nop,TS val 900904996 ecr 3130961383], length 0
17:01:23.981666 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags [P.], seq 36:223, ack 12, win 227, options [nop,nop,TS val 900904996 ecr 3130961383], length 187: SMTP: 250-monmail.com
17:01:24.020956 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [.], ack 223, win 30, options [nop,nop,TS val 3130961449 ecr 900904996], length 0
17:01:24.071691 IP 10.0.0.50.25 > 172.27.224.1.48901: Flags [P.], seq 1505871368:1505871432, ack 929146065, win 229, length 64: SMTP: 535 5.7.8 Error: authentication failed: authentication failure
17:01:24.106864 IP 172.27.224.1.48901 > 10.0.0.50.25: Flags [P.], seq 1:7, ack 64, win 1023, length 6: SMTP: QUIT
17:01:24.136077 IP 185.93.2.157.443 > 10.0.0.50.44711: UDP, length 41
17:01:24.145097 IP 10.0.0.50.25 > 172.27.224.1.48901: Flags [.], ack 7, win 229, length 0
17:01:24.145461 IP 10.0.0.50.25 > 172.27.224.1.48901: Flags [F.], seq 79, ack 7, win 229, length 0
17:01:24.175408 IP 10.0.0.50.25 > 172.27.224.1.48901: Flags [P.], seq 64:79, ack 7, win 229, length 15: SMTP: 221 2.0.0 Bye
17:01:24.179922 IP 172.27.224.1.48901 > 10.0.0.50.25: Flags [.], ack 64, win 1023, length 0
17:01:24.210196 IP 172.27.224.1.48901 > 10.0.0.50.25: Flags [.], ack 80, win 1023, length 0
17:01:24.210427 IP 172.27.224.1.48901 > 10.0.0.50.25: Flags [F.], seq 7, ack 80, win 1023, length 0
17:01:24.227663 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [P.], seq 48:62, ack 51, win 30, options [nop,nop,TS val 3130424969 ecr 900903743], length 14: SMTP: bnM5MkAyMDIx
17:01:24.248145 IP 10.0.0.50.25 > 172.27.224.1.48901: Flags [.], ack 8, win 229, length 0
17:01:24.301862 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [.], ack 62, win 227, options [nop,nop,TS val 900905316 ecr 3130424969], length 0
17:01:24.395894 IP 10.0.0.50.25 > 172.27.224.1.31740: Flags [P.], seq 0:64, ack 1, win 227, options [nop,nop,TS val 900905409 ecr 3367786373], length 64: SMTP: 535 5.7.8 Error: authentication failed: authentication failure
17:01:24.436293 IP 172.27.224.1.31740 > 10.0.0.50.25: Flags [.], ack 64, win 30, options [nop,nop,TS val 3367792483 ecr 900905409], length 0
17:01:24.522899 IP 172.27.224.1.31740 > 10.0.0.50.25: Flags [P.], seq 1:7, ack 64, win 30, options [nop,nop,TS val 3367792570 ecr 900905409], length 6: SMTP: QUIT
17:01:24.567374 IP 10.0.0.50.25 > 172.27.224.1.31740: Flags [.], ack 7, win 227, options [nop,nop,TS val 900905574 ecr 3367792570], length 0
17:01:24.569677 IP 10.0.0.50.25 > 172.27.224.1.31740: Flags [P.], seq 64:79, ack 7, win 227, options [nop,nop,TS val 900905575 ecr 3367792570], length 15: SMTP: 221 2.0.0 Bye
17:01:24.569940 IP 10.0.0.50.25 > 172.27.224.1.31740: Flags [F.], seq 79, ack 7, win 227, options [nop,nop,TS val 900905575 ecr 3367792570], length 0
17:01:24.609763 IP 172.27.224.1.31740 > 10.0.0.50.25: Flags [.], ack 79, win 30, options [nop,nop,TS val 3367792657 ecr 900905575], length 0
17:01:24.649532 IP 172.27.224.1.31740 > 10.0.0.50.25: Flags [.], ack 80, win 30, options [nop,nop,TS val 3367792697 ecr 900905575], length 0
17:01:25.383458 IP 10.0.0.50.44711 > 185.93.2.157.443: UDP, length 41
17:01:25.589382 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [P.], seq 12:18, ack 223, win 30, options [nop,nop,TS val 3130963018 ecr 900904996], length 6: SMTP: RSET
17:01:25.627611 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags [P.], seq 223:237, ack 18, win 227, options [nop,nop,TS val 900906641 ecr 3130963018], length 14: SMTP: 250 2.0.0 Ok
17:01:25.667195 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [.], ack 237, win 30, options [nop,nop,TS val 3130963095 ecr 900906641], length 0
17:01:25.726985 IP 10.0.0.50.34642 > 220.130.197.210.443: UDP, length 148
17:01:25.890390 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags seq 3589908191, win 29200, options [mss 1460,sackOK,TS val 772970005 ecr 0,nop,wscale 10], length 0
17:01:25.942620 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags , seq 3755146974, ack 3589908192, win 28960, options [mss 1261,sackOK,TS val 900906937 ecr 772970005,nop,wscale 7], length 0
17:01:25.980431 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [.], ack 1, win 29, options [nop,nop,TS val 772970095 ecr 900906937], length 0
17:01:26.000254 IP 172.27.224.1.31740 > 10.0.0.50.25: Flags [F.], seq 7, ack 80, win 30, options [nop,nop,TS val 3367794047 ecr 900905575], length 0
17:01:26.022120 IP 10.0.0.50.56436 > 1.1.1.1.53: 26206+ PTR? 1.224.27.172.in-addr.arpa. (43)
17:01:26.026294 IP 1.1.1.1.53 > 10.0.0.50.56436: 26206 NXDomain 0/0/0 (43)
17:01:26.035691 IP 10.0.0.50.25 > 172.27.224.1.31740: Flags [.], ack 8, win 227, options [nop,nop,TS val 900907051 ecr 3367794047], length 0
17:01:26.081935 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags [P.], seq 1:36, ack 1, win 227, options [nop,nop,TS val 900907097 ecr 772970095], length 35: SMTP: 220 monmail.com ESMTP Postfix
17:01:26.120004 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [.], ack 36, win 29, options [nop,nop,TS val 772970235 ecr 900907097], length 0
17:01:27.175216 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [P.], seq 18:30, ack 237, win 30, options [nop,nop,TS val 3130964603 ecr 900906641], length 12: SMTP: AUTH LOGIN
17:01:27.215800 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [P.], seq 1:12, ack 36, win 29, options [nop,nop,TS val 772971331 ecr 900907097], length 11: SMTP: EHLO User
17:01:27.237090 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags [P.], seq 237:255, ack 30, win 227, options [nop,nop,TS val 900908249 ecr 3130964603], length 18: SMTP: 334 VXNlcm5hbWU6
17:01:27.277726 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [.], ack 255, win 30, options [nop,nop,TS val 3130964706 ecr 900908249], length 0
17:01:27.313199 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags [.], ack 12, win 227, options [nop,nop,TS val 900908318 ecr 772971331], length 0
17:01:27.313683 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags [P.], seq 36:223, ack 12, win 227, options [nop,nop,TS val 900908319 ecr 772971331], length 187: SMTP: 250-monmail.com
17:01:27.351417 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [.], ack 223, win 30, options [nop,nop,TS val 772971466 ecr 900908319], length 0
17:01:28.452636 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [P.], seq 12:18, ack 223, win 30, options [nop,nop,TS val 772972567 ecr 900908319], length 6: SMTP: RSET
17:01:28.487359 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags [P.], seq 223:237, ack 18, win 227, options [nop,nop,TS val 900909499 ecr 772972567], length 14: SMTP: 250 2.0.0 Ok
17:01:28.525399 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [.], ack 237, win 30, options [nop,nop,TS val 772972640 ecr 900909499], length 0
17:01:28.857293 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [P.], seq 30:64, ack 255, win 30, options [nop,nop,TS val 3130966285 ecr 900908249], length 34: SMTP: ZXh0d2ViQHNlcnZldXIyMDAwLmNvbQ==
17:01:28.894297 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags [P.], seq 255:273, ack 64, win 227, options [nop,nop,TS val 900909906 ecr 3130966285], length 18: SMTP: 334 UGFzc3dvcmQ6
17:01:28.934656 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [.], ack 273, win 30, options [nop,nop,TS val 3130966362 ecr 900909906], length 0
17:01:29.406839 IP 10.0.0.60.56831 > 46.101.121.10.4000: UDP, length 148
17:01:29.673756 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [P.], seq 18:30, ack 237, win 30, options [nop,nop,TS val 772973788 ecr 900909499], length 12: SMTP: AUTH LOGIN
17:01:29.732635 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags [P.], seq 237:255, ack 30, win 227, options [nop,nop,TS val 900910738 ecr 772973788], length 18: SMTP: 334 VXNlcm5hbWU6
17:01:29.770688 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [.], ack 255, win 30, options [nop,nop,TS val 772973886 ecr 900910738], length 0
17:01:29.871832 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [P.], seq 51:115, ack 62, win 227, options [nop,nop,TS val 900910882 ecr 3130424969], length 64: SMTP: 535 5.7.8 Error: authentication failed: authentication failure
17:01:29.912628 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [.], ack 115, win 30, options [nop,nop,TS val 3130430654 ecr 900910882], length 0
17:01:30.005799 IP 172.27.224.1.13120 > 10.0.0.50.25: Flags , seq 129353435, win 29200, options [mss 1460,sackOK,TS val 3367798053 ecr 0,nop,wscale 10], length 0
17:01:30.062068 IP 10.0.0.50.25 > 172.27.224.1.13120: Flags , seq 705422099, ack 129353436, win 28960, options [mss 1261,sackOK,TS val 900911073 ecr 3367798053,nop,wscale 7], length 0
17:01:30.101789 IP 172.27.224.1.13120 > 10.0.0.50.25: Flags [.], ack 1, win 29, options [nop,nop,TS val 3367798149 ecr 900911073], length 0
17:01:30.130212 IP 10.0.0.50.35132 > 1.1.1.1.53: 32434+ PTR? 1.224.27.172.in-addr.arpa. (43)
17:01:30.134601 IP 1.1.1.1.53 > 10.0.0.50.35132: 32434 NXDomain 0/0/0 (43)
17:01:30.170164 IP 10.0.0.50.25 > 172.27.224.1.13120: Flags [P.], seq 1:36, ack 1, win 227, options [nop,nop,TS val 900911186 ecr 3367798149], length 35: SMTP: 220 monmail.com ESMTP Postfix
17:01:30.209894 IP 172.27.224.1.13120 > 10.0.0.50.25: Flags [.], ack 36, win 29, options [nop,nop,TS val 3367798257 ecr 900911186], length 0
17:01:30.236155 IP 10.0.0.50.53986 > 1.1.1.1.53: 64010+ [1au] A? facebook.com.dbl.spamhaus.org. (58)
17:01:30.306396 IP 1.1.1.1.53 > 10.0.0.50.53986: 64010 NXDomain 0/1/1 (122)
17:01:30.469574 IP 172.27.224.1.56050 > 10.0.0.50.25: Flags [P.], seq 64:74, ack 273, win 30, options [nop,nop,TS val 3130967898 ecr 900909906], length 10: SMTP: RXh0d2Vi
17:01:30.538323 IP 10.0.0.50.25 > 172.27.224.1.56050: Flags [.], ack 74, win 227, options [nop,nop,TS val 900911554 ecr 3130967898], length 0
17:01:30.647303 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [P.], seq 62:68, ack 115, win 30, options [nop,nop,TS val 3130431389 ecr 900910882], length 6: SMTP: QUIT
17:01:30.702979 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [.], ack 68, win 227, options [nop,nop,TS val 900911693 ecr 3130431389], length 0
17:01:30.705429 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [F.], seq 130, ack 68, win 227, options [nop,nop,TS val 900911694 ecr 3130431389], length 0
17:01:30.705683 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [P.], seq 115:130, ack 68, win 227, options [nop,nop,TS val 900911694 ecr 3130431389], length 15: SMTP: 221 2.0.0 Bye
17:01:30.745534 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [.], ack 115, win 30, options [nop,nop,TS val 3130431487 ecr 900911693,nop,nop,sack 1 {130:131}], length 0
17:01:30.745764 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [.], ack 131, win 30, options [nop,nop,TS val 3130431487 ecr 900911694], length 0
17:01:30.966025 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [P.], seq 30:64, ack 255, win 30, options [nop,nop,TS val 772975081 ecr 900910738], length 34: SMTP: bmFiZW5kdUBzZXJ2ZXVyMjAwMC5jb20=
17:01:31.013901 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags [P.], seq 255:273, ack 64, win 227, options [nop,nop,TS val 900912026 ecr 772975081], length 18: SMTP: 334 UGFzc3dvcmQ6
17:01:31.052013 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [.], ack 273, win 30, options [nop,nop,TS val 772975167 ecr 900912026], length 0
17:01:31.569137 IP 172.27.224.1.13120 > 10.0.0.50.25: Flags [P.], seq 1:12, ack 36, win 29, options [nop,nop,TS val 3367799617 ecr 900911186], length 11: SMTP: EHLO User
17:01:31.606410 IP 10.0.0.50.25 > 172.27.224.1.13120: Flags [.], ack 12, win 227, options [nop,nop,TS val 900912621 ecr 3367799617], length 0
17:01:31.610316 IP 10.0.0.50.25 > 172.27.224.1.13120: Flags [P.], seq 36:223, ack 12, win 227, options [nop,nop,TS val 900912622 ecr 3367799617], length 187: SMTP: 250-monmail.com
17:01:31.649779 IP 172.27.224.1.13120 > 10.0.0.50.25: Flags [.], ack 223, win 30, options [nop,nop,TS val 3367799697 ecr 900912622], length 0
17:01:32.088539 IP 18.195.145.6.443 > 10.0.0.50.32844: Flags [.], ack 3677574007, win 473, options [nop,nop,TS val 194660800 ecr 900882420], length 0
17:01:32.118858 IP 10.0.0.50.32844 > 18.195.145.6.443: Flags [.], ack 1, win 339, options [nop,nop,TS val 900913133 ecr 194638076], length 0
17:01:32.167795 IP 172.27.224.1.12972 > 10.0.0.50.25: Flags [P.], seq 64:74, ack 273, win 30, options [nop,nop,TS val 772976283 ecr 900912026], length 10: SMTP: MTIzNDU2
17:01:32.204796 IP 172.27.224.1.11588 > 10.0.0.50.25: Flags [F.], seq 68, ack 131, win 30, options [nop,nop,TS val 3130432946 ecr 900911694], length 0
17:01:32.229077 IP 10.0.0.50.25 > 172.27.224.1.11588: Flags [.], ack 69, win 227, options [nop,nop,TS val 900913244 ecr 3130432946], length 0
17:01:32.239010 IP 10.0.0.50.25 > 172.27.224.1.12972: Flags [.], ack 74, win 227, options [nop,nop,TS val 900913252 ecr 772976283], length 0
17:01:33.045715 IP 172.27.224.1.13120 > 10.0.0.50.25: Flags [P.], seq 12:18, ack 223, win 30, options [nop,nop,TS val 3367801093 ecr 900912622], length 6: SMTP: RSET
17:01:33.078779 IP 10.0.0.50.25 > 172.27.224.1.13120: Flags [P.], seq 223:237, ack 18, win 227, options [nop,nop,TS val 900914092 ecr 3367801093], length 14: SMTP: 250 2.0.0 Ok
Serait il possible d'ajouter une variable pour enlever les 10.0.0.5 & 172.27.224.1 ?
Histoire d'avoir moins de ligne à analyser.... (Par exemple j'ai trouvé un 18.195.145.6....)
Merci en tout cas
Hors ligne
erait il possible d'ajouter une variable pour enlever les 10.0.0.5 & 172.27.224.1 ?
Visiblement tout le trafic SMTP dans le VPN se fait entre ces adresses, donc si tu les exclus il n'y aura plus rien à analyser.
Apparemment le VPS fait du SNAT/MASQUERADE sur les flux qu'il envoie dans le VPN. Je suppose que ça facilite le routage retour (à voir) mais c'est gênant pour l'analyse car ça masque l'adresse source réelle dans la capture tcpdump et dans les logs du NAS, du coup il n'y a pas grand-chose à analyser de toute façon.
Que cherches-tu à voir au juste ?
Par exemple j'ai trouvé un 18.195.145.6.
Rien à voir, c'est une connexion HTTPS sortante de ton NAS vers un serveur hébergé chez AWS.
Dernière modification par raleur (02-01-2022 17:32:03)
Il vaut mieux montrer que raconter.
Hors ligne
Hors ligne
Il vaut mieux montrer que raconter.
Hors ligne
Hors ligne
Il vaut mieux montrer que raconter.
Hors ligne
Hors ligne
Il vaut mieux montrer que raconter.
Hors ligne
Hors ligne
Il vaut mieux montrer que raconter.
Hors ligne
Hors ligne
Hors ligne
Pages : 1