Hi there,
I actually have a /32 IP.
I plan to connect a few new machines to the network. So, I would need 3
or 4 new adresses.
I went to the web page, the the network tab, and click on 44.0.0.0 / 8
<https://portal.ampr.org/networks.php?a=request&id=1> Global link.
the smallest block that I can request through this link is a /24. but I
don't need a /24, only a /29
how can I send my request directly from the web site ?
thank you
--
73,
Pierre-Philippe
F4MZI
> Subject:
> Re: [44net] block allocation
> From:
> "Bill Buhler - AF7SJ" <af7sj(a)buhlerfamily.org>
> Date:
> 06/15/2016 06:47 PM
>
> To:
> "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu>
>
>
>
> Sorry if I'm unclear, so what I'm envisioning is setting up tunnels to the
> other participants of the 44 net who aren't directly internet routed and
> using RIP advertisement for them. Then traffic between me and them can
> bypass the main AMPR 44 net router, reducing latency and reducing bandwidth
> requirements at the root node.
>
> In other words, if anyone on my subnets access the internet it would route
> through our BGP connected uplink. If they were communicating with another
> subnet on the AMPRNet it would tunnel directly to them.
>
> What do you think?
>
> Bill Buhler
> AF7SJ
>
Indeed that is how we route here as well.
Please don't remove that from the Portal!
Rob
Pedro,
I use the following iptables rules on my router (this will work for any
console-based connection using TCP):
# DROPS MULTIPLE SSH CONNECTIONS FROM SAME IP
iptables -t filter -I FORWARD -p tcp --syn --dport 22 -i tunl0 -m
connlimit --connlimit-above 5 -j DROP
# DROPS MULTIPLE SSH ATTEMPTS FROM SAME IP WITHIN FIVE MINUTES
iptables -t filter -I FORWARD -p tcp --dport 22 -i tunl0 -m state
--state NEW -m recent --name sshconnect --update --seconds 300
--hitcount 5 -j DROP
iptables -t filter -I FORWARD -p tcp --dport 22 -i tunl0 -m state
--state NEW -m recent --name sshconnect --set
The first rule drops any connections greater then five. The last two
rules mark and drop more than five attempts from the same IP, for a
period of five minutes. You may wish to increase the time frame. I've
also added rules to block IPs that attempt to connect (or portscan) on
certain TCP and UDP ports (3389/tcp, 123/udp and 161/udp are common, for
example) for which I not post services as available to the AMPR
Community or the Public Internet connection.
In essence, even if an unauthorized person discovered the the port
without being firewalled by the portscan rule, they only get 5 chances,
with up to 5 concurrent connections at any given 5 minute interval (the
amount of attempts vary by implementation of server and client; but once
portscanned or disconnected from a given series of attempts, it counts
at one connection). Each reattempt after 5, restarts the 5 minute clock.
I also block Bogon IP addresses from entering tunl0:
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
I should note that in addition to this, console-based connections that I
use for administration only are moved to non-standard ports. So I added
another layer of protection with Security Through Obscurity (hence a
portscan rule).
73,
Lynwood
KB3VWG
Pedro:
I use Fail2Ban as well, and created my own Jail to help with this.
First, you will need to created jail. In the Fail2Ban directory "filter.d"
create a new text file called "jnos.conf"
In the file called "jnos.conf" place the following text.
_____________________________________
# Fail2Ban configuration file
#
# Author: Wm Lewis - KG6BAJ
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#
#
#
#
failregex = ^.* <HOST>:.*bad login.*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
#
ignoreregex =
___________________________________
Next, after creating this file, in the main Fail2Ban directory, add the
following to your "jail.local" file.
______________________________
#
# Custom Made Bans
#
[jnos]
enabled = true
port = anyport
filter = jnos
logpath = /jnos/logs/nos.log
banaction = shorewall
action = %(action_mwl)s
maxretry = 2
______________________________
***
Note #1 : Your BANACTION may be different, depending on what your box is
using as a default ban method. Look at some of the other jail entries, (
like [postfix] ). You may need to change the BANACTION to match the others.
If your other jails are working with Fail2Bans default settings, you could
comment out the "banaction = shorewall" with a hash so it reads "#banaction
= shorewall" Obviously I use shorewall for my firewall. Your system may be
using something else.
Note #2 : Your path to your jnos log file may have to be tweaked to
something like "/jnos/logs/filename.extension"
I am using a version of jnos where I can specify that jnos logs are called
"nos.log" and rotated every 24 hours. Your jnos may be custom built to call
the logs something else.
After you've install the "jnos.conf" jail file, and added the jnos jail
settings, then restart Fail2Ban. Assuming you've made any appropriate
directory tweaks needed to what I supplied, and assuming you've also
adjusted your "jail.local" files email address to be your own, you should
start getting emails telling you when Fail2Ban bans an IP address from the
jnos logs for a bad login attempt.
Note, I put MAXRETRY = 2. This tells the jail to allow 2 bad login tries,
and then ban on the third bad attempt.
Hope this helps. I currently show over 1300 banned IP addresses from jnos
using this method.
73
Bill Lewis / KG6BAJ
At 11:39 AM 6/12/2016, you wrote:
>(Please trim inclusions from previous messages)
>_______________________________________________
>Hello,
>
>Since last months my JNOS MBOX is being attacked:
>
>15:24:59 94.53.236.39:55248 - MBOX (supervisor) bad login
>15:25:07 113.162.86.77:35247 - MBOX (support) bad login
>15:25:09 190.140.17.22:53348 - MBOX (root) bad login
>15:25:14 92.27.102.224:38887 - MBOX (support) bad login
>15:25:14 114.109.125.48:42069 - MBOX (administrator) bad login
>15:25:35 190.140.17.22:54146 - MBOX (root) bad login
>15:25:50 92.27.102.224:40191 - MBOX (support) bad login
>15:26:33 182.184.71.162:41259 - MBOX (root) bad login
>15:26:49 182.184.71.162:41259 - MBOX (sh) bad login
>15:26:50 89.22.213.165:33979 - MBOX (root) bad login
>15:27:52 89.22.213.165:34979 - MBOX (root) bad login
>
>None of the users tried have granted permit.
>
>Installed fail2ban but not avail.
>Attacking IPs change continuosly, routing to loopback no help
>Due heavy load jnos eventually hangs.
>
>Is it there any way/suggestion to stop this ?
>
>Appreciate any help.
>73, lu7abf, Pedro Converso
>44.153.0.1 or conversoft.com.ar
>pconver(a)gmail.com
>_________________________________________
>44Net mailing list
>44Net(a)hamradio.ucsd.edu
>http://hamradio.ucsd.edu/mailman/listinfo/44net
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Hello,
Since last months my JNOS MBOX is being attacked:
15:24:59 94.53.236.39:55248 - MBOX (supervisor) bad login
15:25:07 113.162.86.77:35247 - MBOX (support) bad login
15:25:09 190.140.17.22:53348 - MBOX (root) bad login
15:25:14 92.27.102.224:38887 - MBOX (support) bad login
15:25:14 114.109.125.48:42069 - MBOX (administrator) bad login
15:25:35 190.140.17.22:54146 - MBOX (root) bad login
15:25:50 92.27.102.224:40191 - MBOX (support) bad login
15:26:33 182.184.71.162:41259 - MBOX (root) bad login
15:26:49 182.184.71.162:41259 - MBOX (sh) bad login
15:26:50 89.22.213.165:33979 - MBOX (root) bad login
15:27:52 89.22.213.165:34979 - MBOX (root) bad login
None of the users tried have granted permit.
Installed fail2ban but not avail.
Attacking IPs change continuosly, routing to loopback no help
Due heavy load jnos eventually hangs.
Is it there any way/suggestion to stop this ?
Appreciate any help.
73, lu7abf, Pedro Converso
44.153.0.1 or conversoft.com.ar
pconver(a)gmail.com
I'm in the process of uploading an image of jessie for the RPI 3 to
https://sourceforge.net/projects/uronode/files/?source=navbar
If you wish to give it a go, that's where it'll be in approximately an
hour from this post. It's made from the kit sold near the TAPR booth at
this year's Hamvention at Dayton. You'll need to edit files
in /etc/ax25, /etc/postfix, and the file /usr/local/bin/ax25
other than that it should be ready to go. I did notice the main
repositories that came with it failed but an apt-get update fixed those
issues.
It was made using the uronode-pi.tgz script available in the tools
section of the same sf.net site.
--
<rhetorical> Why is it linux users can install and operate *any* version of M$
Windoze but the same can't be said in reverse?</rhetorical>
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.nethttp://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
Greetings;
Is it me or does the Jessie version of the Banana Pi OS fail to include
kernel modules for the ax25 stack?.. and if so would a custom compile of
the kernel work?
Curious as if anyone else has gone through this one before. I know it's
fine with the Raspberry Pi but I'm not that familiar with a Banana Pi.
--
<rhetorical> Why is it linux users can install and operate *any* version of M$
Windoze but the same can't be said in reverse?</rhetorical>
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.nethttp://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
Repeat (sorry about the formatting in my previous reposting)
-------- Forwarded Message --------
Subject: [Uronode] FCC serves Comcast
Date: Tue, 07 Jun 2016 13:19:12 -0400
From: Brian <n1uro(a)n1uro.ampr.org>
Reply-To: n1uro(a)n1uro.ampr.org
Organization: Amateur Radio Services
To: uronode(a)tapr.org, eastnet(a)n1uro.ampr.org
With regards to my dealings with Comcast and the faulty firmware
installed in their CPE devices, the FCC has informed me that they've
officially served Comcast with a direct order to resolve this problem or
respond to the complaint within 30 days of receipt of the complaint.
Since Comcast has admitted to me about their firmware bugs it'll be
interesting to see how this is accomplished and if it's within their 30
day window. A copy of their communication is included below.
"
Your Ticket No. 950514 was served on Comcast Cable Communications on Jun
7 for its review and response.
Comcast Cable Communications will likely contact you in an effort to
resolve your issue.
A response is due to the FCC no later than 30 days from today. Comcast
Cable Communications will respond to you directly by postal mail.
You can view a list of frequently asked questions at:
https://consumercomplaints.fcc.gov/hc/en-us/articles/205082880.
We appreciate your submission and help in furthering the FCC’s mission
on behalf of consumers.
This email is a service from FCC Complaints. Delivered by Zendesk
[NKGKWV-K6P1] "
This is somewhat positive news for us on the amprnet.
--
<rhetorical> Why is it linux users can install and operate *any* version of M$
Windoze but the same can't be said in reverse?</rhetorical>
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.nethttp://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
I repost this from the UroNode list with permission from the author.
-------- Forwarded Message --------
Subject: [Uronode] FCC serves Comcast
Date: Tue, 07 Jun 2016 13:19:12 -0400
From: Brian <n1uro(a)n1uro.ampr.org>
n1uro(a)n1uro.ampr.org
With regards to my dealings with Comcast and the faulty firmware
installed in their CPE devices, the FCC has informed me that they've
officially served Comcast with a direct order to resolve this problem or
respond to the complaint within 30 days of receipt of the complaint.
Since Comcast has admitted to me about their firmware bugs it'll be
interesting to see how this is accomplished and if it's within their 30
day window. A copy of their communication is included below. " Your
Ticket No. 950514 was served on Comcast Cable Communications on Jun 7
for its review and response. Comcast Cable Communications will likely
contact you in an effort to resolve your issue. A response is due to the
FCC no later than 30 days from today. Comcast Cable Communications will
respond to you directly by postal mail. You can view a list of
frequently asked questions at:
https://consumercomplaints.fcc.gov/hc/en-us/articles/205082880. We
appreciate your submission and help in furthering the FCC’s mission on
behalf of consumers. This email is a service from FCC Complaints.
Delivered by Zendesk [NKGKWV-K6P1] " This is somewhat positive news for
us on the amprnet. -- <rhetorical> Why is it linux users can install and
operate *any* version of M$ Windoze but the same can't be said in
reverse?</rhetorical> 73 de Brian - N1URO email: (see above) Web:
http://www.n1uro.net/ Ampr1: http://n1uro.ampr.org/ Ampr2:
http://nos.n1uro.ampr.org Linux Amateur Radio Services axMail-Fax &
URONode http://uronode.sourceforge.nethttp://axmail.sourceforge.net
AmprNet coordinator for: Connecticut, Delaware, Maine, Maryland,
Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont.
> On Tue, 2016-06-07 at 13:25 -0400, James Sharp wrote:
> >/I haven't run in to 443 "filtering", but I have run into instances where /> >/the ISP will drop TCP connections that are active for more than a few /> >/minutes, forcing openvpn to restart the connection. /
> Chances are your issue is the same as mine was. The CPE (router) has a
> built in watchdog timer that cuts all sockets after a few minutes. Using
> port 443 wouldn't make any difference. To the average web user this
> isn't an issue because each time a page is opened/refreshed a new socket
> is created, thus a new timer engages. The same may be said for services
> such as pop3/smtp/etc. where you're engaging a new socket each time you
> pop or send email. As long as the attachments aren't that big where you
> may exceed the watchdog's timer you'll never notice this.
So you can never download a file that takes more than a few minutes to complete?
Terrible! Now I understand why some companies try to enforce a "download manager"
to download a file of a measly 30 MB. So I can continue where I left off, yeah sure.
Well it is clear that everyone should devise their own solution for tunneling
and we should not change the global system to cater for limits that certain
users encounter. There will always be a more severe limitation found by someone.
It is better to solve these issues locally, where you have fellow users (victims)
that can understand what is and what isn't possible.
Colocated (virtual) servers with small storage capacity are very cheap today.
Usually they are the entry level of server location, the hoster advertises
their $3.99/mo server and knows that "everyone" will upgrade to more storage
and pay a lot extra. But for a gateway these are perfectly usable, you can
perfectly run it with 512MB RAM and 8GB disk. Put it in the IPIP mesh with
the usual tunl0 and ampr-ripd, and then everyone in the area can make their
VPN connection to there. Without NAT problems, and working round nasty ISPs.
(you can make a VPN over almost anything if you wish)
Rob
