最近检查发现一台Linux服务器,发现其日志里面有大量下面信息,其中部分信息做了脱敏处理。其中一个地址A(192.168.AAA.AAA) 为DNS服务器地址,地址B(192.168.BBB.BBB)为动态获取的IP地址。
#脱敏后信息如下所示:
Jul 24 15:14:18 xxxxxx dhclient: DHCPREQUEST on eth0 to 192.168.AAA.AAA port 67 (xid=0x1ff3cda3)
Jul 24 15:14:18 xxxxxx dhclient: DHCPACK from 192.168.AAA.AAA (xid=0x1ff3cda3)
Jul 24 15:14:18 xxxxxx dhclient: bound to 192.168.BBB.BBB -- renewal in 863 seconds.
Jul 24 15:28:41 xxxxxx dhclient: DHCPREQUEST on eth0 to 192.168.AAA.AAA port 67 (xid=0x1ff3cda3)
Jul 24 15:28:41 xxxxxx dhclient: DHCPACK from 192.168.AAA.AAA (xid=0x1ff3cda3)
Jul 24 15:28:41 xxxxxx dhclient: bound to 192.168.BBB.BBB -- renewal in 681 seconds.
Jul 24 15:40:02 xxxxxx dhclient: DHCPREQUEST on eth0 to 192.168.AAA.AAA port 67 (xid=0x1ff3cda3)
Jul 24 15:40:02 xxxxxx dhclient: DHCPACK from 192.168.AAA.AAA (xid=0x1ff3cda3)
Jul 24 15:40:02 xxxxxx dhclient: bound to 192.168.BBB.BBB -- renewal in 763 seconds.
那么DHCPREQUEST、DHCPACK是什么东西呢? 初步判断很有可能是服务器动态申请IP(DHCP)的相关性。然后搜索了相关资料验证一下:
DHCPREQUEST简介:
DHCP请求(REQUEST) 当客户PC收到一个IP租约提供时,它必须告诉所有其他的DHCP服务器它已经接受了一个租约提供。因此,该客户会发送一个DHCPREQUEST消息,其中包含提供租约的服务器的IP。当其他DHCP服务器收到了该消息后,它们会收回所有可能已提供给该客户的租约。然后它们把曾经给该客户保留的那个地址重新放回到可用地址池中,这样,它们就可以为其他计算机分配这个地址。任意数量的DHCP服务器都可以响应同一个IP租约请求,但是每一个客户网卡只能接受一个租约提供。
DHCPACK简介:
当DHCP服务器收到来自客户的REQUEST消息后,它就开始了配置过程的最后阶段。这个响应阶段包括发送一个DHCPACK包给客户。这个包包含租期和客户可能请求的其他所有配置信息。这时候,TCP/IP配置过程就完成了。
但是这台服务器不是设置的静态IP吗? 怎么会有DHCP的相关日志呢? 首先检查确认地址A(192.168.AAA.AAA)为一个DNS服务器地址。如下所示:
[root@xxxx log]# more /etc/resolv.conf; generated by /sbin/dhclient-scriptsearch eel1.esquel.com
nameserver 192.168.AAA.AAA
nameserver 192.168.xxx.xxx
然后查看该服务器的IP地址。如下所示:
[root@xxxxx log]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:AF:0F:87
inet addr:192.168.BBB.BBB Bcast:192.168.xxx.xxx Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1113647339 errors:0 dropped:0 overruns:0 frame:0
TX packets:5394185429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:232836326224 (216.8 GiB) TX bytes:7577117537336 (6.8 TiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:943142413 errors:0 dropped:0 overruns:0 frame:0
TX packets:943142413 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:37841765933 (35.2 GiB) TX bytes:37841765933 (35.2 GiB)
检查发现这个网络绑定了两个IP地址。如下所示所示(其中192.168.CCC.CCC为静态IP地址),最让人惊奇的是ifconfig中显示的是动态IP地址,而不是ifcfg-eth0设置的静态IP地址
[root@xxxxx log]# ip addr show eth02: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:af:0f:87 brd ff:ff:ff:ff:ff:ff
inet 192.168.BBB.BBB/24 brd 192.168.152.255 scope global eth0 inet 192.168.CCC.CC/24 brd 192.168.152.255 scope global secondary eth0[root@xxx network-scripts]# more ifcfg-eth0 # Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:0c:29:af:0f:87
NETMASK=255.255.255.0
IPADDR=192.168.CCC.CCC
GATEWAY=192.168.xxx.xxx
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
个人猜测是因为Local的系统管理员,不知出于什么原因给网卡多绑定了一个地址,下面在测试服务器,做了一个简单的测试。如果网络设置动态获取IP地址,基本上就会有这类信息出现,
Jul 20 13:01:49 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 12333 seconds.Jul 20 16:27:22 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
Jul 20 16:27:22 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)
Jul 20 16:27:22 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 11811 seconds.Jul 20 19:44:12 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
Jul 20 19:44:13 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)
Jul 20 19:44:13 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 13245 seconds.Jul 20 23:24:58 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
Jul 20 23:24:58 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)
Jul 20 23:24:58 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 13115 seconds.Jul 21 03:03:32 DB-Server dhclient: DHCPREQUEST on eth0 to 192.168.27.210 port 67 (xid=0x293091fd)
Jul 21 03:03:33 DB-Server dhclient: DHCPACK from 192.168.27.210 (xid=0x293091fd)
Jul 21 03:03:33 DB-Server dhclient: bound to 10.20.57.24 -- renewal in 13533 seconds.
测试过程中也发现,如果第一个地址是静态IP地址,第二个(secondary)地址为动态地址,在message里面也没有出现上面的DHCPREQUEST 、DHCPACK日志信息。但是如果网卡的第一个地址为动态地址就会在message中出现DHCP相关日志。
[root@DB-Server network-scripts]# ifconfig eth0eth0 Link encap:Ethernet HWaddr B0:83:FE:55:32:E5
inet addr:10.20.57.24 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:230 errors:0 dropped:0 overruns:0 frame:0
TX packets:162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22435 (21.9 KiB) TX bytes:20666 (20.1 KiB)
Interrupt:233 Base address:0x4000
[root@DB-Server network-scripts]# more /etc/resolv.conf; generated by /sbin/dhclient-scriptsearch gfg1.esquel.com
nameserver 192.168.xxx.xxx
nameserver 192.168.xxx.xxx
[root@DB-Server network-sc
[root@DB-Server network-scripts]# ifconfig eth0:1 10.20.57.26 netmask 255.0.0.0[root@DB-Server network-scripts]# ip addr show eth02: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether b0:83:fe:55:32:e5 brd ff:ff:ff:ff:ff:ff
inet 10.20.57.24/8 brd 10.255.255.255 scope global eth0 inet 10.20.57.26/8 brd 10.255.255.255 scope global secondary eth0:1
参考资料:
https://zh.wikipedia.org/zh-hans/%E5%8A%A8%E6%80%81%E4%B8%BB%E6%9C%BA%E8%AE%BE%E7%BD%AE%E5%8D%8F%E8%AE%AE