Greetings to everybody.
****I want direct your attention to two networks that lately I'm seeing in my Apache2 log files:
5.141.0.0/16 213.33.130.0/24
Log entries are at least suspicious. I keep sharp lookout.
Best regards. Tom - sp2lob
Thanks Tom,
I also have 213.92.0.0/16 and 213.248.0.0/16 on permanent ban for hacking attempts against my JNOS.
Bill KG6BAJ
At 12:48 AM 09/29/14, you wrote:
(Please trim inclusions from previous messages) _______________________________________________ Greetings to everybody.
****I want direct your attention to two networks that lately I'm seeing in my Apache2 log files:
5.141.0.0/16 213.33.130.0/24
Log entries are at least suspicious. I keep sharp lookout.
Best regards. Tom - sp2lob
How far this helps is not clear. You just blocked an italian and a russian provider. Have you tried to send a mail to the "abuse" mailbox?
route: 213.92.0.0/17 descr: I.NET Customer Nets block origin: AS3313 remarks: 4nd block released to it.inet local registry. mnt-by: INET-NOC source: RIPE # Filtered remarks: trouble: -------------------------------------------- remarks: trouble: -- For any mail abuse or network incident remarks: trouble: -- please report to abuse@inet.it remarks: trouble: --------------------------------------------
213.248.0.0/19 descr: Digital Network JSC descr: Moscow, Russia descr: http://www.msm.ru descr: aggregate prefix origin: AS12695 mnt-by: DN-MNT source: RIPE # Filtered abuse-mailbox: abuse@msm.ru
-----Original Message----- From: 44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu [mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of William Lewis Sent: Monday, September 29, 2014 17:40 To: AMPRNet working group Subject: Re: [44net] Apache2 log - suspicious entries...
(Please trim inclusions from previous messages) _______________________________________________ Thanks Tom,
I also have 213.92.0.0/16 and 213.248.0.0/16 on permanent ban for hacking attempts against my JNOS.
Bill KG6BAJ
At 12:48 AM 09/29/14, you wrote:
(Please trim inclusions from previous messages) _______________________________________________ Greetings to everybody.
****I want direct your attention to two networks that lately I'm seeing in my Apache2 log files:
5.141.0.0/16 213.33.130.0/24
Log entries are at least suspicious. I keep sharp lookout.
Best regards. Tom - sp2lob
Well, I realize that every sysop must make decisions they feel are best for the security of their own systems, me included.
And as for banning an entire Italian and Russian network, it works for me. Maybe not everyone else.
Since I can see from the gateways list on the portal, that there are no gateways listed in those ranges, I know I'm not blocking a potential gateway.
I *might* be blocking an individual packet user that wants to telnet into my system. But, that same user can telnet into a different system, and then just connect to my node via the nodes list of where ever it was he/she connected from.
As for contacting the provider...... I get so many probes and attacks that I'd be spending all my waking time just contacting providers, with no guarantees that they'd do anything anyway.
Having a back-end script that monitors hacking attempts and then just automatically bans ip's and networks that allow hackers seems to be pretty efficient for my needs. It may not be for everyone, though.
Bill KG6BAJ
At 08:22 AM 09/29/14, you wrote:
(Please trim inclusions from previous messages) _______________________________________________ How far this helps is not clear. You just blocked an italian and a russian provider. Have you tried to send a mail to the "abuse" mailbox?
On Mon, Sep 29, 2014 at 8:53 AM, William Lewis kg6baj@n1oes.org wrote:
Having a back-end script that monitors hacking attempts and then just automatically bans ip's and networks that allow hackers seems to be pretty efficient for my needs. It may not be for everyone, though.
I do this with a program called fail2ban. You configure it to watch log files for authentication failures or other suspicious activity. It then blocks the suspicious source IP in iptables for the configured period of time. When the time expires, the IP is unbanned, so false positives or new users of an IP address aren't adversely affected.
I get many bans per day and don't put much energy into monitoring or reporting them.
Tom KD7LXL
Tom et al.
I do exactly the same! Very good program. Additionally have some lines against port scanning.
Best regards. Tom - sp2lob
Sent from Sony Xperia Z1 http://www.aqua-mail.com
-
Marius Petrescu -
sp2lob -
sp2lob@tlen
-
Tom Hayward -
William Lewis