关于minifw3.7CUP居高不下的问题

hsyihao 发表于 2007-10-13 21:25:05

最近由于ROS出现频繁掉线换成了minife3.7光盘版刚装上两天没有任何问题。网速也很稳定，中间试过一次QOS限速没设置好网页很慢，后来关了QOS。昨天晚上有人在网吧用了网络执法官之类的软件。所有电脑MAC地址一样，没人喊卡或掉线，刚从外面回来发现主机只要开网页就报毒，看了下ARP(IP/MAC)表怕了跳，迅速找到毒源，人家以结帐下面刚走。关机后一切常，晚上无事看了下http://aijun336.blog.163.com/blog/的minifw3.5使用小解--WEB内容过滤和MINIFW3.7--VPN的用法,开启了这两项服务，今天白天没什么人上网的时候CUP就很高97%左右以下是我的minifw内容(以开启VPN）在没有开启VPN和WEB内容过滤之前CUP最高%14
- 内存文件系统剩余空间
Filesystem       1k-blocks    Used Available Use% Mounted on
/dev/root             193004    6036 186968 3% /
/dev/hda5          7823820 771076 705274410% /tmp1

内存使用
         total       used       free    shared    buffers
Mem:    386516    374372    12144          0    68816
Swap:          0          0          0
Total:    386516    374372    12144

- 已加载的模块
Module                SizeUsed by
ip_nat_pptp          1628 0 (unused)
ip_nat_proto_gre       760 0 (unused)
ip_conntrack_pptp    2072 1
ip_conntrack_proto_gre 1557 0
ipt_ipp2p             4948 1
8139too             11548 2
mii                   1840 0
sch_sfq             2784 0 (unused)
sch_ingress          1088 0 (unused)
sch_htb             16320 0 (unused)
cls_u32             3832 0 (unused)
cls_fw                1940 0 (unused)
ipt_IMQ                480 0 (unused)
ipt_tos                224 0 (unused)
ipt_layer7          7480 0 (unused)
ipt_time             884 0 (unused)
ipt_iprange          356 2
ipt_connlimit       1032 0 (unused)
ip_nat_mms          2352 0 (unused)
ip_nat_h323          2020 0 (unused)
ip_nat_ftp          2192 0 (unused)
ip_conntrack_mms    2448 1
ip_conntrack_h323    1865 1
ip_conntrack_ftp    2992 1
softdog             1296 1

内核启动信息
Linux version 2.4.33-wuhuasan (root@debian) (gcc version 3.4.4) #1 Sat May 5 02:47:43 MDT 2007
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 00000000000a0000 (usable)
BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 0000000017ff0000 (usable)
BIOS-e820: 0000000017ff0000 - 0000000017ff3000 (ACPI NVS)
BIOS-e820: 0000000017ff3000 - 0000000018000000 (ACPI data)
BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved)
0MB HIGHMEM available.
383MB LOWMEM available.
On node 0 totalpages: 98288
zone(0): 4096 pages.
zone(1): 94192 pages.
zone(2): 0 pages.
Kernel command line: BOOT_IMAGE=linux append=load_ramdisk=1 initrd=root.tgz initrd_dyn=minix ramdisk_size=4096 root=/dev/ram0 boot=/dev/hda1,vfat
Initializing CPU#0
Detected 1996.638 MHz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 3984.58 BogoMIPS
Memory: 386008k/393152k available (1145k kernel code, 6760k reserved, 255k data, 80k init, 0k highmem)
Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
Inode cache hash table entries: 32768 (order: 6, 262144 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 32768 (order: 5, 131072 bytes)
Page-cache hash table entries: 131072 (order: 7, 524288 bytes)
CPU: Trace cache: 12K uops, L1 D cache: 8K
CPU: L2 cache: 128K
CPU: After generic, caps: bfebfbff 00000000 00000000 00000000
CPU:          Common caps: bfebfbff 00000000 00000000 00000000
CPU: Intel(R) Celeron(R) CPU 2.00GHz stepping 09
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
PCI: PCI BIOS revision 2.10 entry at 0xfb110, last bus=2
PCI: Using configuration type 1
PCI: Probing PCI hardware
PCI: Probing PCI hardware (bus 00)
Transparent bridge - PCI device 8086:244e
PCI: Using IRQ router PIIX/ICH at 00:1f.0
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
ttyS01 at 0x02f8 (irq = 3) is a 16550A
Real Time Clock Driver v1.10f
FDC 0 is a post-1991 82077
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
MPPE/MPPC encryption/compression module registered
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
ICH2: IDE controller at PCI slot 00:1f.1
ICH2: chipset revision 5
ICH2: not 100% native mode: will probe irqs later
ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:pio
ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:pio, hdd:pio
hda: IBM-DJNA-370910, ATA DISK drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: attached ide-disk driver.
hda: host protected area => 1
hda: 17803440 sectors (9115 MB) w/1966KiB Cache, CHS=17662/16/63, UDMA(33)
Partition check:
hda: hda1 hda2 < hda5 hda6 >
SCSI subsystem driver Revision: 1.00
usb.c: registered new driver hub
host/uhci.c: USB Universal Host Controller Interface driver v1.1
PCI: Found IRQ 11 for device 00:1f.2
PCI: Setting latency timer of device 00:1f.2 to 64
host/uhci.c: USB UHCI at I/O 0xd000, IRQ 11
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
PCI: Found IRQ 12 for device 00:1f.4
PCI: Sharing IRQ 12 with 02:0b.0
PCI: Setting latency timer of device 00:1f.4 to 64
host/uhci.c: USB UHCI at I/O 0xd800, IRQ 12
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 4096 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 65536)
ip_conntrack version 2.1 (3071 buckets, 24568 max) - 368 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
IP_TPROXY: Transparent proxy support initialized 2.0.6
IP_TPROXY: Copyright (c) 2002-2007 BalaBit IT Ltd.
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
INITRD: Compressed Tar archive found at block 0.
VFS: Mounted root (tmpfs filesystem). [ No Ceiling]
INITRD: Extracting TGZ archive: |/-\|/-\|/-\|/-\|/-\|/-\|/-done.
VFS: Close: file count is 0
Freeing initrd memory: 427k freed
Freeing unused kernel memory: 80k freed
reiserfs: found format "3.6" with standard journal
reiserfs: checking transaction log (device ide0(3,5)) ...
for (ide0(3,5))
reiserfs: replayed 24 transactions in 3 seconds
ide0(3,5):Using r5 hash to sort names
Software Watchdog Timer: 0.05, timer margin: 60 sec
ipt_time loading
8139too Fast Ethernet driver 0.9.26
PCI: Found IRQ 11 for device 02:06.0
eth0: RealTek RTL8139 at 0xd8904000, 00:0a:eb:74:56:9b, IRQ 11
eth0:Identified 8139 chip type 'RTL-8100B/8139D'
PCI: Found IRQ 12 for device 02:0b.0
PCI: Sharing IRQ 12 with 00:1f.4
eth1: RealTek RTL8139 at 0xd8906000, 00:0a:eb:5b:6b:94, IRQ 12
eth1:Identified 8139 chip type 'RTL-8100B/8139D'
eth0: link up, 100Mbps, full-duplex, lpa 0x45E1
eth1: link up, 100Mbps, full-duplex, lpa 0x45E1
IPP2P v0.8.2 loading
ip_conntrack_pptp version 1.9 loaded
ip_nat_pptp version 1.5 loaded

网络接口状态
eth0    Link encap:EthernetHWaddr 00:0A:EB:74:56:9B
      inet addr:192.168.0.1Bcast:192.168.0.255Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICASTMTU:1500Metric:1
      RX packets:25031345 errors:0 dropped:0 overruns:0 frame:0
      TX packets:28504237 errors:0 dropped:0 overruns:5 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:2142224128 (1.9 GiB)TX bytes:3095024172 (2.8 GiB)
      Interrupt:11 Base address:0x4000

eth1    Link encap:EthernetHWaddr 00:0A:EB:5B:6B:94
      inet addr:172.0.0.1Bcast:172.0.0.1Mask:255.255.255.252
      UP BROADCAST RUNNING MULTICASTMTU:1500Metric:1
      RX packets:33751361 errors:0 dropped:0 overruns:0 frame:0
      TX packets:30308724 errors:0 dropped:0 overruns:5 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:3827333432 (3.5 GiB)TX bytes:3301305482 (3.0 GiB)
      Interrupt:12 Base address:0x6000

lo    Link encap:Local Loopback
      inet addr:127.0.0.1Mask:255.0.0.0
      UP LOOPBACK RUNNINGMTU:16436Metric:1
      RX packets:3649912 errors:0 dropped:0 overruns:0 frame:0
      TX packets:3649912 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:181457416 (173.0 MiB)TX bytes:181457416 (173.0 MiB)

ppp0    Link encap:Point-Point Protocol
      inet addr:192.168.15.1P-t-P:192.168.15.80Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICASTMTU:1400Metric:1
      RX packets:673354 errors:2472 dropped:0 overruns:0 frame:0
      TX packets:835721 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:3
      RX bytes:106091535 (101.1 MiB)TX bytes:525841002 (501.4 MiB)

ppp1    Link encap:Point-Point Protocol
      inet addr:192.168.15.1P-t-P:192.168.15.81Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICASTMTU:1400Metric:1
      RX packets:149651 errors:17 dropped:0 overruns:0 frame:0
      TX packets:203444 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:3
      RX bytes:19532244 (18.6 MiB)TX bytes:122183513 (116.5 MiB)
运行中的进程

PIDUid VmSize Stat Command
1 root    312 S init
2 root          SW
3 root          SWN
4 root          SW
5 root          SW
6 root          SW
7 root          SW
273 root          SW
333 root    244 S /sbin/watchdog -t 30 /dev/watchdog
486 root    332 S syslogd -m 0 -C
487 root    288 S klogd
496 root    368 S /usr/sbin/sshd -p 880
858 root    336 S httpd -p 8080 -h /var/http/htdocs -c /.whs
877 root    632 S /usr/local/squid/sbin/squid -a 3107 -D
881 nobody 19360 S (squid) -a 3107 -D
882 nobody    164 S (unlinkd)
883 nobody 1456 S dansguardian
891 nobody 2264 S dansguardian
906 root    308 S /sbin/getty 38400 tty1
1819 root    268 S pptpd -o /tmp/options.pptpd
7769 root    320 S pptpd
7770 root    508 S /usr/sbin/pppd local file /tmp/options.pptpd 115200 1
18756 root    296 S pptpd
18757 root    508 S /usr/sbin/pppd local file /tmp/options.pptpd 115200 1
18896 root    360 S /usr/sbin/dnsmasq
28557 nobody 1580 S dansguardian                            不白明的地方，下面这么多进程
28688 nobody 1556 S dansguardian
29013 nobody 1572 S dansguardian
29082 nobody 1520 S dansguardian
29115 nobody 1456 S dansguardian
29116 nobody 1456 S dansguardian
29128 nobody 1548 S dansguardian
29139 nobody 1560 S dansguardian
29142 nobody 1560 S dansguardian
29145 nobody 1520 S dansguardian
29355 nobody 1560 S dansguardian
29356 nobody 1476 S dansguardian
29357 nobody 1476 S dansguardian
29358 nobody 1556 S dansguardian
29359 nobody 1476 S dansguardian
29360 nobody 1456 S dansguardian
29361 nobody 1456 S dansguardian
29362 nobody 1456 S dansguardian
29363 nobody 1456 S dansguardian
29364 nobody 1456 S dansguardian
29365 nobody 1456 S dansguardian
29366 nobody 1456 S dansguardian
29367 root    384 S httpd -p 8080 -h /var/http/htdocs -c /.whs
29368 root    384 S /bin/sh /var/http/htdocs/cgi-bin/diags.cgi
29472 root    308 R ps

[ 本帖最后由 hsyihao 于 2007-10-13 21:28 编辑 ]

xhb912 发表于 2007-10-14 19:49:38

楼主想说什么？开VPN能防止CPU占用率高？只能分析是你开了WEB过滤之后。内网的机没中ARP病毒而已。

bfrader 发表于 2007-10-14 20:40:17

这不是cpu高，而是内存使用高，这是正常的，你使用web过滤的同时，web代理也会起作用，会用较多的内存作为代理缓存使用。虽然剩余内存少，但机器还是很稳定的，而且浏览网页速度会慢慢地快起来。不用担心这个问题！

hsyihao 发表于 2007-10-14 23:12:29

原帖由 bfrader 于 2007-10-14 20:40 发表 http://bbs.routerclub.com/images/common/back.gif
这不是cpu高，而是内存使用高，这是正常的，你使用web过滤的同时，web代理也会起作用，会用较多的内存作为代理缓存使用。虽然剩余内存少，但机器还是很稳定的，而且浏览网页速度会慢慢地快起来。不用担心这个问题！

谢谢你的回答````不过我害怕如果再有人用ARP攻击的话那会不会掉线呢？我知道minifw防ARP很强```但是资源用到%98了会不会掉线（ARP攻击）
还有一点不明白的就是这些进程
18896 root 360 S /usr/sbin/dnsmasq
28557 nobody 1580 S dansguardian 不白明的地方，下面这么多进程
28688 nobody 1556 S dansguardian
29013 nobody 1572 S dansguardian
29082 nobody 1520 S dansguardian
29115 nobody 1456 S dansguardian
29116 nobody 1456 S dansguardian
29128 nobody 1548 S dansguardian
29139 nobody 1560 S dansguardian
29142 nobody 1560 S dansguardian
29145 nobody 1520 S dansguardian
29355 nobody 1560 S dansguardian
29356 nobody 1476 S dansguardian
29357 nobody 1476 S dansguardian
29358 nobody 1556 S dansguardian
29359 nobody 1476 S dansguardian
29360 nobody 1456 S dansguardian
29361 nobody 1456 S dansguardian
29362 nobody 1456 S dansguardian
29363 nobody 1456 S dansguardian
29364 nobody 1456 S dansguardian
29365 nobody 1456 S dansguardian
29366 nobody 1456 S dansguardian
昨天有个网管打开一个网页提示说的什么不记得了```大概的意思就是网站不支持代理上网（充点卡网站不记得是那个了）网页打不开```下次再发现就记下来

[ 本帖最后由 hsyihao 于 2007-10-14 23:42 编辑 ]

bfrader 发表于 2007-10-15 09:04:14

dansguardian应该就是代理进程。
arp攻击与DDOS攻击不同，一般不会影响路由器资源使用，只是你的局域网客户机的数据都要从实行arp攻击的那台机器经过，最后会出现帐号、密码被盗的情况。

hsyihao 发表于 2007-10-15 19:40:16

就是这个网站打不开````请帮我看下```要在那里设置````

bfrader 发表于 2007-10-16 07:11:22

可能这个网站在minifw的web过滤的黑名单上吧。我经过某个代理网站访问这个网站，一切正常。

hsyihao 发表于 2007-10-16 11:51:40

那请问下要怎么把它从黑名单里删除呢？

bfrader 发表于 2007-10-16 13:18:27

可能我的说法不对，minifw好象是根据某些文字特征进行过滤的，所以无法进行黑名单修改。我觉得没必要进行网站过滤，可以自己在防火墙规则里对一些不良网站进行封堵。至于防止arp攻击，可以进行mac_ip绑定。

hsyihao 发表于 2007-10-17 00:03:41

原帖由 bfrader 于 2007-10-16 07:11 发表 http://bbs.routerclub.com/images/common/back.gif
可能这个网站在minifw的web过滤的黑名单上吧。我经过某个代理网站访问这个网站，一切正常。

问题找到那，不选这一项行吗？

bfrader 发表于 2007-10-17 07:08:48

如果不开启代理服务器，web过滤就不起作用了

LanTian 发表于 2007-10-20 22:50:33

原帖由 bfrader 于 2007-10-16 13:18 发表 http://bbs.routerclub.com/images/common/back.gif
可能我的说法不对，minifw好象是根据某些文字特征进行过滤的，所以无法进行黑名单修改。我觉得没必要进行网站过滤，可以自己在防火墙规则里对一些不良网站进行封堵。至于防止arp攻击，可以进行mac_ip绑定。
不良网站太多了吧，而且有时一个网站的IP地址都能有好几个，那得写多少规则呀。防火墙规则不支持域名过滤方式吧。

用关键词过滤或者网站过滤多方便。比如：关键词("/ad/"、"/pop/“、”/guanggao/“等)、网站("http://union.*.com"等)这样即便下面的客户机没有安装火狐、Maxthon等浏览器也能屏蔽掉一些垃圾地址。

页: [1]

自由的生活_软路由's Archiver

关于minifw3.7CUP居高不下的问题