44net

44net@mailman.ampr.org

3194 discussions

Re: [44net] 44Net Digest, Vol 3, Issue 31
by Rob Janssen 10 Feb '14

10 Feb '14

44net-request(a)hamradio.ucsd.edu wrote: > Subject: > [44net] incoming traffic. > From: > John Ronan <jpronans(a)gmail.com> > Date: > 02/09/2014 05:10 PM > > To: > AMPRNet working group <44net(a)hamradio.ucsd.edu> > > > Hi All, > > I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same? > > > I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down. > > Regards > John > EI7IG It is not specifically from that address. It appears to be a distributed attack on http servers, at least to network 44. I see the same incoming stream of connects to several hosts in my subnet, all from a different source IP. Sometimes after several hours it stops and starts from another IP. I have crafted iptables rules that block it effectively: iptables -A firewall -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A firewall -p tcp --syn -m recent --name tcp --set iptables -A firewall -p tcp --syn -m recent --name tcp --update --seconds 30 --hitcount 15 -j DROP iptables -A firewall -p tcp --dport 80 --syn -j ACCEPT iptables -A firewall -p tcp --dport 443 --syn -j ACCEPT iptables -A firewall -p tcp -j DROP It just drops any source IP that sends more than 15 connects in 30 seconds. Adjust for the port numbers that you want to accept (80 and 443 in this example) There is also an internet-wide scan from source address 64.78.174.63 with traffic like this: 21:04:33.762663 64.78.174.63 -> 44.137.40.2 TCP 52 [TCP Port numbers reused] http > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 I see it on another server outside net-44 as well. It is blocked by the same rule but I have just firewalled the entire 64.78.160.0/20 net as this does not look like someone I want to deal with. Rob

2 1

Reg Exp
by William Lewis 09 Feb '14

09 Feb '14

BTW.... Anybody in the group good at formulating REGEX expressions ? If so, contact me off-list. kg6baj(a)n1oes.org Thanks Bill

1 0

Mail Hacker
by William Lewis 09 Feb '14

09 Feb '14

Thanks to all that replied. Got the iptables to forward the connects to my linux side where the commercial postfix server is running. Postfix doing what it's supposed to and killing it all if it's not a user on my box. Again, thank you to all who gave suggestions. Bill KG6BAJ

1 0

incoming traffic.
by John Ronan 09 Feb '14

09 Feb '14

Hi All, I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same? I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down. Regards John EI7IG

6 7

Re: [44net] Mail hacker
by kb9mwr＠gmail.com 09 Feb '14

09 Feb '14

Part of the beauty of our own IP address space is security provided by knowing your neighbors. I'd never run an open SIP or mail server on the wide internet anymore. Spam filtering is a big headache. Again, I'd firewall everyone but us for the mail port: iptables -A INPUT -s ! 44.0.0.0/8 -p tcp --dport 25 -j DROP If you have a google apps account (free for non profits) you can use them as a mail exchanger. Set your DNS records, to something like this: gvcity.ampr.org MX 10 gvcity gvcity.ampr.org MX 20 aspmx.l.google.com Outside (non 44 net) IP will timeout with a direct connect to 44.2.14.1 and will move try the next exchanger preference, in this case google. Google will accept the mail on your behalf, and they have good spam filtering (better than I could ever figure out how to incorporate with sendmail) and then I typically use fetchmail to transfer the mail from google back into my local mailboxes. If someone else wants to document a mailserver setup with spam protection, I'm all eyeballs on that one. I'm sure a number of people would appreciate that tutorial.

1 0

Re: [44net] Mail Hacker
by kb9mwr＠gmail.com 09 Feb '14

09 Feb '14

Here is what I'd do. Only allow 44 net to talk to the mail host directly: iptables -A INPUT -s ! 44.0.0.0/8 -p tcp --dport 25 -j DROP Set a MX record and set up an exchanger for any external mail you need to deal with.

1 0

Re: [44net] Mail Hacker
by Michael E Fox - N6MEF 09 Feb '14

09 Feb '14

What we do is run all inbound and outbound email to/from the Internet through a mail gateway. Then the gateway can implement all of the modern spam avoidance functions, including even which specific user addresses will be relayed. Michael N6MEF Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: William Lewis <kg6baj(a)n1oes.org> Date:02/09/2014 11:54 AM (GMT-08:00) To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: [44net] Mail Hacker (Please trim inclusions from previous messages) _______________________________________________ Hello group: Need some collective help here on a mail system hacker issue I've been having. First, the IP address on my system he's coming in on is 44.2.14.1 This person is dumping thousands of random emails into my system and some of them will match BBS AREA patterns and get forwarded out to my forward partners. At first, I set up a log book scan script to look for bad logins, and then ban the IP address, but then I found out that since my 44.2.14.1 ip address goes "around" my firewall via UCSD, the block rules literally have zero effect. I found a common "from" (online...@....) line in his emails, so in my "rewrite" file I used this command "onl*@* | *@* refuse" but that also had zero effect. Then I tried telling JNOS "stop smtp" and "stop pop3" and that had zero effect. JNOS's email system uses very old RFC rules, and none of the modern RFC rules, so it's easy for this hacker to login to my JNOS mail server and dump this junk. Luckily most get held, but as stated, a few match forward patterns, so they slip through. Right now I've completely taken my JNOS off-line until a fix can be found. Anyone have some suggestions on blocking smtp and pop3 when my 44.2.14.1 address is live to global net ? Any advise is appreciated in advance. Thanks Bill KG6BAJ

1 0

Re: [44net] Portal Down ?
by William Lewis 08 Feb '14

08 Feb '14

Chris: I'm wondering if the index page issue only effects "Coordinators" ?? I've seen some postings here that some are logging in and all is ok. But the index page is suppose to show the extra "coordinator" link that non-coordinators don't see when they login. Here is the total source code my browsers get "after" logging in. ========================================================================= <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=utf-8" http-equiv=Content-Type></HEAD> <BODY></BODY></HTML> ========================================================================= That's it. That's all that comes through. Hope that helps. Bill At 02:56 AM 2/8/2014, you wrote: >(Please trim inclusions from previous messages) >_______________________________________________ >Hit your refresh button, probably cached from a previous visit ;-)

6 14

Portal Down ?
by Neil Johnson 08 Feb '14

08 Feb '14

After I login I just get a blank screen. -Neil -- Neil Johnson http://erudicon.com

12 14

annual reminders
by Brian Kantor 08 Feb '14

08 Feb '14

The first batch of annual portal email reminders just went out; there were 60 folks who haven't logged in to the portal in over a year. These reminders are currently scheduled to go out monthly. Starting this July, I think we'll consider someone inactive after 18 months of no login. (That's six reminders, so they can't say they weren't warned.) Be sure to keep the portal up to date if you change your email or other contact data to avoid having problems. Please remember that current registration with the portal is necessary to maintain allocations, gateway registration in the encap database, and other functions of the portal. It's especially important for coordinators to keep it up to date. Thanks! - Brian

4 4

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net