Forum : The BROKeN BuBBLe

Banned IP's

From Daryl Stout@VERT/TBOLT to MARK LEWIS on Thursday, September 14, 2017 17:50:00

Mark,

I also saw a bizarre hostname slam the system...

I.DareYou.ToHit.This

where did you see this? do you still have the log section for it??

In the terminal server window...repeatedly trying to logon via telnet.
It would connect, disconnect, then reconnect, etc. The IP address was 185.55.218.52 -- it's in the block list.

This morning, the BBS was getting repeatedly slammed by 182.100.67.76
via SSH. It tried to getg in for over an hour before it quit. Yet,
because it was in the ip.can file, it was blocked from connecting to the
BBS.

this one is chinese from some broadband connection...

I figured how to add the host names to block some countries...such as:

Italy *.it
Mexico *.mx
Russia *.ru
France *.fr

Four others -- *.tr, *.br, *.hinet.net, and telefonia.Intercable.Net
are blocked, but I'm not sure where they came from.

The countries I had listed in Peerblock included Belgium, Bolivia,
Brazil, China, Colombia, Croatia, Czech Republic, Ecuador, Egypt, Fuji (wondered if that should've been Fiji), Germany, Hong Kong, Honduras,
Hungary, India, Italy, Japan, Kazakhstan, Malaysia, Mexico, Nepal,
Paraguay, Philippones, Poland, Romania, Russia, Serbia, Singapore,
Spain, Sweden, Thailand, Turkey, Ukraine, United Kingdom, and Zimbabwe.

I do have a legitimate user from the UK, and another from Germany.

Daryl

---
� OLX 1.53 � Meteor shower tonight, bring your own soap!
� Synchronet � The Thunderbolt BBS - wx1der.dyndns.org

From mark lewis@VERT to Daryl Stout on Friday, September 15, 2017 07:22:26

On 2017 Sep 14 17:50:00, you wrote to me:

I also saw a bizarre hostname slam the system...

I.DareYou.ToHit.This

where did you see this? do you still have the log section for it??

In the terminal server window...repeatedly trying to logon via telnet. It would connect, disconnect, then reconnect, etc. The IP address was 185.55.218.52 -- it's in the block list.

thanks... confirmed... just wait until you see one that says "localhost" when you know what "localhost" signifies... in this case that's someone with control
over their DNS... they can make it say anything they want... never ever ever ever trust any domain name you see in your logs... always record IP addresses... in fact, if it can be done, whatever programs you have that are doing reverse lookups to find domain names from IPs, disable that lookup and you'll save yourself a lot of unnecessary DNS traffic...

This morning, the BBS was getting repeatedly slammed by 182.100.67.76
via SSH. It tried to getg in for over an hour before it quit. Yet,
because it was in the ip.can file, it was blocked from connecting to
the BBS.

yes and no... it was connecting to ""the BBS"" but the BBS was dropping the connection...

this one is chinese from some broadband connection...

I figured how to add the host names to block some countries...such as:

Italy *.it
Mexico *.mx
Russia *.ru
France *.fr

Four others -- *.tr, *.br, *.hinet.net, and telefonia.Intercable.Net
are blocked, but I'm not sure where they came from.

that requires a domain lookup... all i gotta do is change my domain and your block will be ineffective... if reverse DNS lookups are disabled as i suggested
above, these won't work any more... i don't know that sbbs has an option to disable DNS lookups on inbound connections but it really should...

The countries I had listed in Peerblock included Belgium, Bolivia,
Brazil, China, Colombia, Croatia, Czech Republic, Ecuador, Egypt, Fuji (wondered if that should've been Fiji), Germany, Hong Kong, Honduras, Hungary, India, Italy, Japan, Kazakhstan, Malaysia, Mexico, Nepal, Paraguay, Philippones, Poland, Romania, Russia, Serbia, Singapore,
Spain, Sweden, Thailand, Turkey, Ukraine, United Kingdom, and
Zimbabwe.

i spent several years working to maintian an IP block list... it totally consumed all of my time and i wasn't getting anything else done at all... that's when i decided to go the other way and block only those exhibiting unwanted activities... other than the additional month or so it took to tune my
IDS and autoresponder to my network, i immediately gained so much time back that it was uncountable... this is why i push the perimeter firewall with IDS thing so much... besides, i couldn't see blocking a while country when it was only one bad apple causing the problems... i went from blocking hindreds of thousands of IPs to having an automated system managing only one to two thousand on average... the highest peak i recall was over 6000 but my system also run much faster now since it doesn't have to waste time looking through all those IPs to see if a connecting one is blocked and it also doesn't wast time performing useless reverse domain lookups...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Anarchy is better that no government at all.
---
* Origin: (1:3634/12.73)
� Synchronet � Vertrauen � Home of Synchronet � [vert/cvs/bbs].synchro.net

From KK4QBN@VERT/KK4QBN to mark lewis on Friday, September 15, 2017 11:37:32

Re: Banned IP's
By: mark lewis to Daryl Stout on Fri Sep 15 2017 07:22:26

that requires a domain lookup... all i gotta do is change my domain and your block will be ineffective... if reverse DNS lookups are disabled as i suggested above, these won't work any more... i don't know that sbbs has an option to disable DNS lookups on inbound connections but it really should...

Oh yeah, you can for sure disable hostname lookups in sbbs.. when I did it spead things up a lot. and thats what made me do it is being constantly hammered by "localhost".. after a good ip.can file is built up I still have constant conenctions coming in, but they never keep my nodes tied up like they used to. now I may get up to 3 nodes tied up for no more than 60 seconds at a time on average.

--

Tim Smith (KK4QBN)
KK4QBN BBS

---
* Synchronet * KK4QBN - kk4qbn.synchro.net - 7064229538 - Chatsworth GA USA

From Ragnarok@VERT/DOCKSUD to Daryl Stout on Tuesday, September 19, 2017 11:53:51

El 14/09/17 a las 19:50, Daryl Stout escribi�:

I do have a legitimate user from the UK, and another from Germany.

Daryl

always have average of 15 banned ip's at my fail2ban

Chain fail2ban-SBBS-main (1 references)
target prot opt source destination
REJECT all -- 201.69.90.121 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 78.186.210.14 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 117.247.90.134 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 37.130.109.12 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 189.110.122.99 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 24.70.18.200 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 112.164.94.30 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 37.109.137.13 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 78.188.65.156 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 87.9.146.185 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 179.113.144.251 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 188.119.8.116 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 177.238.235.175 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- 67.177.189.43 0.0.0.0/0
reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0

---
� Synchronet � Dock Sud BBS TLD 24 HS - http://www.docksud.com.ar - telnet://bbs.docksud.com.ar

From Daryl Stout@VERT/TBOLT to RAGNAROK on Wednesday, September 20, 2017 11:10:00

always have average of 15 banned ip's at my fail2ban

Cool...I will add these to my ip.can list...thank you so much.

Daryl

---
� OLX 1.53 � According to the Weather Channel, Hell just froze over.
� Synchronet � The Thunderbolt BBS - wx1der.dyndns.org

System Info

Sysop:	MCMLXXIX
Location:	Prospect, CT
Users:	325
Nodes:	10 (0 / 10)
Uptime:	09:34:58
Calls:	510
Messages:	220574

Banned IP's

System Info