Who is 44.170.120.59? And why is (s)he portscanning for SSH servers? I think everyone should register their addresses in DNS and have reverse lookup working.
Rob
Agree, reverse DNS is very helpful!
On 2021-01-16 10:50, Rob PE1CHL via 44Net wrote:
Who is 44.170.120.59? And why is (s)he portscanning for SSH servers? I think everyone should register their addresses in DNS and have reverse lookup working.
Rob
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
On 16.01.2021 11:50, Rob PE1CHL via 44Net wrote:
Who is 44.170.120.59?
A direct-BGP connected Raspberry PI in Croatia:
db0fhn:~$ nc 44.170.120.59 22 SSH-2.0-OpenSSH_7.9p1 Raspbian-10
And why is (s)he portscanning for SSH servers?
It is hacked and is looking for other targets.
I already notified Igor, 9A6NVI, to take it offline.
73, Jann
-- Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany Tel.: +49-911-99946898, Mobile: +49-170-1045937, E-Mail: jann@gmx.de Ham: DG8NGN / DB0VOX / DB0FOX / DB0ZM / DB0DBA / DB0HZS
On 1/16/21 12:35 PM, Jann Traschewski via 44Net wrote:
On 16.01.2021 11:50, Rob PE1CHL via 44Net wrote:
And why is (s)he portscanning for SSH servers?
It is hacked and is looking for other targets.
I already notified Igor, 9A6NVI, to take it offline.
I was starting to suspect that. But still I think that people should register their allocations in DNS (and have their own DNS servers only when the also make the reverse working), because I see no way to find the owner of that address right now. The traffic was not even incoming directly, it arrived via an IPIP tunnel (probably DB0FHN) and there is no tunnel route back to that address.
Rob
On 16 Jan 2021, at 11:51, Rob PE1CHL via 44Net 44net@mailman.ampr.org wrote:
On 1/16/21 12:35 PM, Jann Traschewski via 44Net wrote:
On 16.01.2021 11:50, Rob PE1CHL via 44Net wrote:
And why is (s)he portscanning for SSH servers?
It is hacked and is looking for other targets.
I already notified Igor, 9A6NVI, to take it offline.
I was starting to suspect that. But still I think that people should register their allocations in DNS (and have their own DNS servers only when the also make the reverse working), because I see no way to find the owner of that address right now.
Any issues of this sort should be emailed to abuse@ampr.org mailto:abuse@ampr.org and I will get right on it. I have full visibility of all subnet allocations and who is responsible for them.
I’ve had several compromised systems reported recently, more in last 6 weeks than in the last 6 months for some reason!
73, Chris - G1FEF
On 16.01.2021 12:51, Rob PE1CHL via 44Net wrote:
The traffic was not even incoming directly, it arrived via an IPIP tunnel (probably DB0FHN) and there is no tunnel route back to that address.
Croatia (44.170/16) is connected to the HAMNET by VPN tunnel.
Since the IPIP-Mesh routes are pushed to the HAMNET by DB0FHN and your end is on the IPIP-Mesh, the packets from Croatia are received by VPN tunnel and forwarded by IPIP-Mesh to your end.
Since only the eastern part of the Netherlands is connected to the HAMNET, your reply has been sent by direct-BGP to Croatia.
73, Jann
-- Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany Tel.: +49-911-99946898, Mobile: +49-170-1045937, E-Mail: jann@gmx.de Ham: DG8NGN / DB0VOX / DB0FOX / DB0ZM / DB0DBA / DB0HZS
On 1/16/21 1:13 PM, Jann Traschewski via 44Net wrote:
On 16.01.2021 12:51, Rob PE1CHL via 44Net wrote:
The traffic was not even incoming directly, it arrived via an IPIP tunnel (probably DB0FHN) and there is no tunnel route back to that address.
Croatia (44.170/16) is connected to the HAMNET by VPN tunnel.
Why do they send traffic for 44.137/16 via that?
From the whois it appears it is BGP connected and I also see that in the ARIN listing.
They should have sent the traffic directly to internet, or better get on the IPIP mesh themselves. Why do they send it via FHN?
Since the IPIP-Mesh routes are pushed to the HAMNET by DB0FHN and your end is on the IPIP-Mesh, the packets from Croatia are received by VPN tunnel and forwarded by IPIP-Mesh to your end.
We drop all traffic from the IPIP mesh that does not have a route back to the IPIP mesh. I hope the new network structure will be deployed "soon" so we no longer have to cope with such silly static routings and we can all exchange traffic via a single core network without such "man in the middle" forwardings.
Rob
On 16.01.2021 14:42, Rob PE1CHL via 44Net wrote:
I hope the new network structure will be deployed "soon"
Where can I find out more about the "new network structure"?
Does it fit with the needs of the ~1000 endusers of the HAMNET?
73, Jann
-- Jann Traschewski, Faber-Castell-Str. 9, D-90522 Oberasbach, Germany Tel.: +49-911-99946898, Mobile: +49-170-1045937, E-Mail: jann@gmx.de Ham: DG8NGN / DB0VOX / DB0FOX / DB0ZM / DB0DBA / DB0HZS
On 1/16/21 3:06 PM, Jann Traschewski via 44Net wrote:
On 16.01.2021 14:42, Rob PE1CHL via 44Net wrote:
I hope the new network structure will be deployed "soon"
Where can I find out more about the "new network structure"?
There has been a lot of discussion on the 44NGN list (not related to your callsign) and there are some documents on the nexcloud.ampr.org server.
I would have assumed you are on that list as well.
Does it fit with the needs of the ~1000 endusers of the HAMNET?
Certainly a lot better than the current network. E.g. you will be able have multiple connections between the radio network and the internet tunnel network, and it will be possible to exchange routing information using BGP instead of having the basically static routing over the mesh.
So in a situation like this, when both Germany and Croatia would join that network, there would be no need for Croatia to put large static subnet routes over a private VPN, they could use BGP to sent traffic for those subnets that you can reach over radio via Germany, and the rest via another tunnel over internet directly towards the destination gateway. (of course that is already possible today, but apparently it is too difficult or too inconvenient to do that?)
Rob
That is what te portal is for and why every allocation should be in the portal with a whois service behind it
Ruben - ON3RVH
On 16 Jan 2021, at 12:54, Rob PE1CHL via 44Net 44net@mailman.ampr.org wrote:
On 1/16/21 12:35 PM, Jann Traschewski via 44Net wrote:
On 16.01.2021 11:50, Rob PE1CHL via 44Net wrote: And why is (s)he portscanning for SSH servers?
It is hacked and is looking for other targets.
I already notified Igor, 9A6NVI, to take it offline.
I was starting to suspect that. But still I think that people should register their allocations in DNS (and have their own DNS servers only when the also make the reverse working), because I see no way to find the owner of that address right now. The traffic was not even incoming directly, it arrived via an IPIP tunnel (probably DB0FHN) and there is no tunnel route back to that address.
Rob _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
On 16 Jan 2021, at 12:17, Ruben ON3RVH via 44Net 44net@mailman.ampr.org wrote:
That is what te portal is for and why every allocation should be in the portal with a whois service behind it
Which is exactly how it is, e.g.
whois -h whois.ampr.org 44.190.255.1
Chris. -G1FEF
I already knew it is "Croatia". I see no way to identify the invidual behind 44.170.120.59:
whois -h whois.ampr.org 44.170.120.59 Network: 44.170.0.0/16 Type: country BGP: NO Callsign: AMPRNET Locator: IO92ab Description:HR Allocated: 2019-07-21 14:32:05 Updated: 2019-07-21 14:32:05
At least they can maintain a reverse DNS. "it can be handled by abuse@ampr.org" but that should be reserved for abuse only I think, I initially wasn't handling this as abuse but still I think we should be able to identify traffic to the originating callsign.
Rob
On 1/16/21 1:25 PM, G1FEF via 44Net wrote:
On 16 Jan 2021, at 12:17, Ruben ON3RVH via 44Net 44net@mailman.ampr.org wrote:
That is what te portal is for and why every allocation should be in the portal with a whois service behind it
Which is exactly how it is, e.g.
whois -h whois.ampr.org 44.190.255.1
Chris. -G1FEF
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Rob,
That is why I was saying that every subnet should be registered in the portal. Including end-user subnets. This is also why I do not want to use a separate ipam for the Belgian network as my idea is that every subnet should be available in the portal and for every ham to see who own that subnet. Or every region that has it's own ipam should run a whois server which is then referred to by the portal. (like every registry does)
But that is a job for another day and that can be thought out in the future.
73
Ruben ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Rob PE1CHL via 44Net Sent: Saturday, January 16, 2021 14:32 To: G1FEF via 44Net 44net@mailman.ampr.org Cc: Rob PE1CHL 44net@pe1chl.nl Subject: Re: [44net] 44.170.120.59
I already knew it is "Croatia". I see no way to identify the invidual behind 44.170.120.59:
whois -h whois.ampr.org 44.170.120.59 Network: 44.170.0.0/16 Type: country BGP: NO Callsign: AMPRNET Locator: IO92ab Description:HR Allocated: 2019-07-21 14:32:05 Updated: 2019-07-21 14:32:05
At least they can maintain a reverse DNS. "it can be handled by abuse@ampr.org" but that should be reserved for abuse only I think, I initially wasn't handling this as abuse but still I think we should be able to identify traffic to the originating callsign.
Rob
On 1/16/21 1:25 PM, G1FEF via 44Net wrote:
On 16 Jan 2021, at 12:17, Ruben ON3RVH via 44Net 44net@mailman.ampr.org wrote:
That is what te portal is for and why every allocation should be in the portal with a whois service behind it
Which is exactly how it is, e.g.
whois -h whois.ampr.org 44.190.255.1
Chris. -G1FEF
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
G1FEF -
James Colderwood -
Jann Traschewski -
Rob PE1CHL -
Ruben ON3RVH