I'm getting a lot of IP's that are getting the "temporary ban", and
I'm putting those in the IP.CAN file...
I recall that a wildcard string of an asterisk * could be used. Would
this be for like a number in the first 3 slots, then an asterisk in the
last slot (as an example (although I obviously won't block it)
192.168.1.*) ??
Or can you use the asterisk in more than one slot, as it were??
It'd cut down on the size of my ip.can file.
Why? Can't you just let the temporary ban do it's job?
I think you're probably being overly worried and overly-agressive with the DM>banning.
There have been several occasions where lightning struck close to (not
50 feet from the front door), or right next to my apartment
building...so close that I could hear the static pop from inside my apartment!! Each time afterwards, people were taking electronics items
of every sort (computers and accessories, DVD/VCR units, home
entertainment centers, microwave ovens, etc.) out to the dumpster. The
surge had spread out so far that IT FRIED EVERYTHING!! I even had damage
to the ADT Alarm System on one occasion, but that has since been
repaired.
I'm getting a lot of IP's that are getting the "temporary ban", and
I'm putting those in the IP.CAN file...many of them are from the bot
with the name user name of Aquario.
I recall that a wildcard string of an asterisk * could be used.
As for the temporary ban, I upped it from the default of 10 minutes to
one week. Another Sysop noted that he has his set at 1 month...but I haven't tried that.
i get that you are afraid of lightning , but that has nothing to do with your M>ip blocking.
those are an advanced MIRAI variant... the user name that you probably aren' ML>seeing is actually root and aquario is the password they're sending...
I recall that a wildcard string of an asterisk * could be used.
i'll let someone else answer this ;)
i said that our IDS and active response system on the perimeter firewall blo ML>them for that long... sbbs temp bans are all dropped when sbbs is shut down ML>anyway... at least, that's my understanding... i may not have used those exa ML>words in my previous post but i'm always talking about stopping and blocking ML>things on my perimeter instead of leting them beat up my servers and polluti ML>my network with unwanted traffic...
I am a 2 time lightning strike survivor...I don't want the third time
to be the charm.
The IP blocking is because they are constantly tying up the 4 telnet nodes, where no one can get in. And, this doesn't include the numerous
SSH logon failures with a "Read Failure" and a "Bad/Unrecognized Data Format". I've even had hack attempts via the Email and FTP servers, so
I'm blocking them as well.
those are an advanced MIRAI variant... the user name that you
probably aren' seeing is actually root and aquario is the password
they're sending...
Well, either way, I'm getting a ton of them...and each time, the
system is invoking the Temporary IP Ban. I've noted that I can't set it for more than 1W (1 week), or the "ban time" is reduced.
What if SBBS reruns the nodes, as when an update in a setup is done
within SCFG?? Is that the same as a "shut down"??
Mark,
those are an advanced MIRAI variant... the user name that you probably aren' ML>seeing is actually root and aquario is the password they're sending...
Well, either way, I'm getting a ton of them...and each time, the
system is invoking the Temporary IP Ban. I've noted that I can't set it
for more than 1W (1 week), or the "ban time" is reduced.
Mark,
i said that our IDS and active response system on the perimeter firewall blo ML>them for that long... sbbs temp bans are all dropped when sbbs is shut down ML>anyway... at least, that's my understanding... i may not have used those exa ML>words in my previous post but i'm always talking about stopping and blocking ML>things on my perimeter instead of leting them beat up my servers and polluti ML>my network with unwanted traffic...
What if SBBS reruns the nodes, as when an update in a setup is done
within SCFG?? Is that the same as a "shut down"??
The IP blocking is because they are constantly tying up the 4 telnet nodes, where no one can get in. And, this doesn't include the numerous
SSH logon failures with a "Read Failure" and a "Bad/Unrecognized Data Format". I've even had hack attempts via the Email and FTP servers, so
I'm blocking them as well.
those are an advanced MIRAI variant... the user name that you
probably aren' seeing is actually root and aquario is the password
they're sending...
Well, either way, I'm getting a ton of them...
and each time, the system is invoking the Temporary IP Ban. I've noted that I can't set it for more than 1W (1 week), or the "ban time" is reduced.
drop your temp block down to ten minutes or whatever it was, after they have K>many login attempts they go into the IP.can.
move your nodes to more than 4 until you naturally grow your ip.can.
after a few months it will work itself out and everything will be fine.
it may be a PITA, for your doors especially.. but thats the main reason I put K>10 nodes in automatically when putting up on the linux system.
also at times I do have up to 4 real callers plus myself. (very seldom, but i K>happens).
BTW, TEMP bans go into memory, I could'nt tell you how much it uses, but I tr K>to keep my system as slim as possible.. if you set the temp bans to less time K>(1 hour) that keeps them from hammering your system, and allows them to K>automatically be added to the IP.CAN quicker.
What if SBBS reruns the nodes, as when an update in a setup is done within SCFG?? Is that the same as a "shut down"??
SBBS (RECYCLES) the nodes when something is changed in SCFG.
BTW if I was struck by lightening twice.. I think I would be a bit paranoid K>too..
Have you won the lottery yet?
If not, go buy a ticket.
I understand your frustrations, but Synchronet's built in procedures work. I D>dropped all my other ip blocking programs 2 months ago because it was limitin D>who could contact my system. I'm letting Synchronet take care of it all. Twea D>the settings, and give it time, it will straighten itself out, I promise. You D>have 4 nodes, I only have 5. In SBBS.INI, set MaxConcurrentConnections to 2, D>that way no ip address can tie up anymore than 2 nodes at one time trying to D>get in. See http://wiki.synchro.net/howto:block-hackers for the other setting D>I assure you, the program does work. You will still get hit, but it won't shu D>your system down, and your users can still get in. Since I let synchronet tak D>care of it all, my callers are starting to slowly come back. I'll be glad to D>help you on this, and you have my email, so shoot me a message if you need mo D>info.
drop your temp block down to ten minutes or whatever it was, after
they have many login attempts they go into the IP.can.
I dropped it to 5...yes, I'm being stingy, but I don't want or need
those idiots.
* you cannot stop them unless you alter your setup and start using a preimeter firewall instead of whetever thing the ISP has given you... a perimeter firewall with an IDS/IPS is the way to go... just ask any of the big guys hosting and carrying all the internet traffic these days...
you cannot stop them*... this is why the reigning recommendation is to get (the
eff off of) port 23 for telnet... don't use 2323, either, because they are there as well... post a note to your users and let it run for several weeks so that they all know when your switchover date is and then do it on that
Daryl Stout wrote to KK4QBN <=-
However, I carry no electrical charge, and can be handled safely. <G>
mark lewis wrote to Daryl Stout <=-
firewall machine connected to a bridged ISP modem gives you unlimited portforwarding capabilities as well as so much more in the way of
Mro wrote to mark lewis <=-
not a fan of running on non standard ports. just makes it harder
for the users.
protections... i would try to write more but i'm being hampered by family demanding my attention but i did want to get this part out about having a dedicated perimeter firewall machine to protect your internal network(s)...
poindexter FORTRAN wrote to mark lewis <=-
I miss the days when I had a cheaptastic P90 box running firewall software. Lots of potential on a single core system with something like
64 mb of RAM. :)
I miss the days when I had a cheaptastic P90 box running firewall software. Lots of potential on a single core system with something like 64 mb of RAM. :)
clarification: it only takes one more machine dedicated to the firewall task ML>some do it in a VM but that isn't the best way... a dedicated firewall machi ML>connected to a bridged ISP modem gives you unlimited portforwarding ML>capabilities as well as so much more in the way of protections... i would tr ML>to write more but i'm being hampered by family demanding my attention but i ML>want to get this part out about having a dedicated perimeter firewall machin ML>to protect your internal network(s)...
I was using PeerBlock, and that helped stop a bunch of them. But, is
there a "list of bad countries", per se?? If so, I can put them into PeerBlock, and that'll stop them from accessing at all.
Re: Wildcards In IP.CAN file
By: Daryl Stout to MARK LEWIS on Wed Sep 06 2017 09:51 pm
I was using PeerBlock, and that helped stop a bunch of them. But, is there a "list of bad countries", per se?? If so, I can put them into PeerBlock, and that'll stop them from accessing at all.
ipdeny.com has country blocks.
someone quote me so daryl can see. he probably blocked me because
i'm going to hell and the devil and the demons are laughing at me.
Sysop: | MCMLXXIX |
---|---|
Location: | Prospect, CT |
Users: | 325 |
Nodes: | 10 (0 / 10) |
Uptime: | 05:23:55 |
Calls: | 510 |
Messages: | 220570 |