I know a couple of groups now have proper reverse delegation of DNS for their subnets… Wondering who to drop a line to so I can get 44.103.0.0/19 delegated to a.ns.mi6wan.net and b.ns.mi6wan.net ?
Didn’t see it in the portal or wiki and my notes from a few months ago are foggy...
--
Fredric Moses - W8FSM - WQOG498
fred(a)moses.bz
All,
I've added a new tool that I'd like you to test. This web application
should provide the registration code required by APRS software suites.
In order to use it, you must browse to:
http://kb3vwg-010.ampr.org/tools/aprscode
or
http://44.60.44.10/tools/aprscode
If you're on AMPRNet, you should be able to enter the callsign and look
up the registration code. If you access it from outside of AMPRNet, you
will be prompted for an access code (1234).
Please let me know how it works
73,
KB3VWG
Hello Rob/PE1CHL et al.
Rob, thank you very much for "pushing me" into right direction!
Today I made interesting and promissing tests with OpenVPN.
My question and goal was:
"Whether and how one can allocate any-in-size subnet to particular VPN
client?"
Of course, from the address space being at disposal.
Hardware setup:
- AMPRNet gateway server, Debian-7.5 (LAN + WAN)
utilizing 44.165.2.0/28 address space
- OpenVPN server running on above mentioned gateway
utilizing 44.165.15.0/24 address space
- Desktop PC - Debian-7.5 (on LAN, behind router)
- VirtualBox machines: Debian-7.5 Fedora-20 OpenBSD-5.5
(running on Desktop PC)
- Sony Xperia Z1 running OpenVPN client
OpenVPN addresses allocation:
- OpenVPN server - 44.165.15.0/24
- Desktop PC - 44.165.15.16/28
- VirtualBox Debian-7.5 - 44.165.15.32/29
- VirtualBox Fedora-20 - 44.165.15.40
- VirtualBox OpenBSD-5.5 - 44.165.15.253
- Sony Xperia Z1 - 44.165.15.2
Commands giving such nice possibility (example for Desktop PC):
- in the OpenVPN server config file
topology subnet
route 44.165.15.16 255.255.255.240 44.165.15.30
- in the OpenVPN client config file (on server!!!)
ifconfig-push 44.165.15.17 255.255.255.0
iroute 44.165.15.16 255.255.255.240
Already allocated subnets may appear and will be
reachable EXCLUSIVELY on previously assigned machines.
All other addresses may emerge anywhere.
Finally very brief answer is:
YES, it is possible to assign subnet to a particular VPN client!
For more detailed descriptions please refer to OpenVPN manual.
Best regards.
Tom - sp2lob
Hello Brian(N1URO) et al.
My list of "abusing" subnets and single IP's
contains 56 lines and still grows almost every day.
All of them blocked continuously by iptables.
For securing all amprnet interfaces I have one PERFECT cure:
-A INPUT ! -s 44.0.0.0/8 -i tunl0 -j DROP
-A INPUT ! -s 44.0.0.0/8 -i tun0 -j DROP
-A INPUT ! -s 44.0.0.0/8 -i tun1 -j DROP
-A INPUT ! -s 44.0.0.0/8 -i tun2 -j DROP
-A INPUT ! -s 44.0.0.0/8 -i sl0 -j DROP
-A INPUT ! -s 44.0.0.0/8 -i sl1 -j DROP
-A INPUT ! -s 44.0.0.0/8 -i sl2 -j DROP
Really deadly weapon, Hi!
Nothing, literally nothing, what isn't originated
from 44 network is explicitly DROPped.
JNOS-2.0j4, TNOS-2.40, OpenVPN(44net), TNOS-3.01a1
and two (X)net's are as safe as never before.
Sending email to the "abuse" mailbox is nice and pollite
way but do not change situation right away.
Just my personal point of view...
One day somebody said: if I run taxi business, say in Texas,
I do not want customer from LaLaLand poking around!
Best regards.
Tom - sp2lob
Send from Sony Xperia Z1
http://www.aqua-mail.com
Tom,
I am also using Fail2BAN.
I created my own jail for JNOS and it works great.
That is also why I needed to change the JNOS log file name to something
static. That way I could avoid having to reload/restart Fail2Ban every
morning at midnight to look for a new log.
If you need the Jail regex I created for JNOS (assuming you're using JNOS),
contact me off-list (kg6baj(a)n1oes.org) and I can email it to you.
Bill
KG6BAJ
At 09:13 AM 09/29/14, you wrote:
>I do this with a program called fail2ban. You configure it to watch
>log files for authentication failures or other suspicious activity. It
>then blocks the suspicious source IP in iptables for the configured
>period of time. When the time expires, the IP is unbanned, so false
>positives or new users of an IP address aren't adversely affected.
>
>I get many bans per day and don't put much energy into monitoring or
>reporting them.
>
>Tom KD7LXL
>_________________________________________
Greetings to everybody.
****I want direct your attention to two networks
that lately I'm seeing in my Apache2 log files:
5.141.0.0/16
213.33.130.0/24
Log entries are at least suspicious.
I keep sharp lookout.
Best regards.
Tom - sp2lob
Greetings;
Is anyone running a global buckmaster or similar server on 44/8 that I
can query from xNOS? It would be greatly appreciated. Thanks much.
--
73 de Brian Rogers - N1URO
email: <n1uro(a)n1uro.ampr.org>
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
To whom it may concern.
Quote:
Niall Parker
2013/12/14 at 06:28
I suspect the intent (of Heikki et al)
was to keep that password from being published…
I suspect it would have helped me though if I hadn’t
been paranoid to read all the docs anyway.
Unqote
Just wonder, whether this security measure is still
in force and should be obeyed without any exempts?
Best regards.
Tom - sp2lob
Sent from Sony Xperia Z1
http://www.aqua-mail.com
