All,
I once again notice intermittent connection to AMPRNet for about 24 hours. When this happens:
- When I login into the /private page, I cannot see Encap.txt - Each time, this is how I attempt to confirm I'm in the most recant Encap - I'm not on Marius' map, and from my understanding of his OS (hi) he will not receive packets if he doesn't have a route for me
I figure I'm not on Encap.txt. Can someone check?
Linux commands:
dynamic filter check: ipset test ipipfilter 71.178.210.39
check route: ip route get 44.60.44.0/24 from <your_AMPR_IP_on_router>
My encap file reads June 8, 00:20 UTC.
- Lynwood KB3VWG
-rw-r--r-- 1 root root 31119 Jun 7 20:20 /etc/config/encap.txt
Lynwood.
I have 173.66.138.32 as your public IP. My encap.txt reads Jun 8 01:20:31 UTC 2017
Your site kb3vwg-010.ampr.org is __NOT__ reachable at the moment, but earlier today WAS O.K.
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
Hi Lynwood,
Actually it would be possible to receive announcements from everywhere, but the data collecting daemon only accepts announcement from 44 addresses (route present or not). I have done this because a few minutes after publishing the announcement URLs, I had some spamming tentatives from public IPs and I would rather keep the system clean. On the other hand, if there is no way for announcements to arrive from a 44 address, that host is not a AMPR mesh gateway, since the mesh is not working.
Marius
All,
I once again notice intermittent connection to AMPRNet for about 24 hours. When this happens:
- When I login into the /private page, I cannot see Encap.txt
- Each time, this is how I attempt to confirm I'm in the most recant Encap
- I'm not on Marius' map, and from my understanding of his OS (hi) he
will not receive packets if he doesn't have a route for me
I figure I'm not on Encap.txt. Can someone check?
Linux commands:
dynamic filter check: ipset test ipipfilter 71.178.210.39
check route: ip route get 44.60.44.0/24 from <your_AMPR_IP_on_router>
My encap file reads June 8, 00:20 UTC.
- Lynwood
KB3VWG
-rw-r--r-- 1 root root 31119 Jun 7 20:20 /etc/config/encap.txt
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Marius,
My 'Mesh' is up, but if your UDP requires a reply, that's the issue...
On the other hand, if there is no way for announcements to arrive from a 44 address, that host is not a AMPR mesh gateway, since the mesh is not working.
I still have a copy of encap.txt locally.
- KB3VWG
root@router:~# ip route get 44.182.21.1 from 44.60.44.1 44.182.21.1 from 44.60.44.1 via 89.122.215.236 dev tunl0 table 44 cache expires 294sec mtu 1480 window 840 2017-06-08 00:16:17.454 0.000 UDP44.60.44.254:59120 http://192.168.7.9/nfsen/nfsen.php#null ->44.182.21.1:59001 http://192.168.7.9/nfsen/nfsen.php#null 1 41
Lynwood.
ip route get 44.60.44.0/24 from 44.165.2.2
44.60.44.10 from 44.165.2.2 via 173.66.138.32 dev tunl0 cache window 840
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
Lynwood.
Your public IP while ago changed to 71.178.210.39 (www.kb3vwg.info)
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
W 8 czerwca 2017 11:50:47 AM lleachii--- via 44Net 44net@hamradio.ucsd.edu napisał:
All,
I once again notice intermittent connection to AMPRNet for about 24 hours. When this happens:
- When I login into the /private page, I cannot see Encap.txt
- Each time, this is how I attempt to confirm I'm in the most recant Encap
- I'm not on Marius' map, and from my understanding of his OS (hi) he
will not receive packets if he doesn't have a route for me
I figure I'm not on Encap.txt. Can someone check?
Linux commands:
dynamic filter check: ipset test ipipfilter 71.178.210.39
check route: ip route get 44.60.44.0/24 from <your_AMPR_IP_on_router>
My encap file reads June 8, 00:20 UTC.
- Lynwood
KB3VWG
-rw-r--r-- 1 root root 31119 Jun 7 20:20 /etc/config/encap.txt
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Lynwood.
--- Current version: 43.053 2017/06/08 12:17:12 Shows IP 71.178.210.39 Although ip route get... still shows 173.66.138.32
Best regards. Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
Lynwood, Marius.
Just noticed something at least odd...
1. ampr-ripd is up&running on my server. 2. I see incoming rip broadcasts. 3. Latest encap.txt generated by ampr-ripd is from Jun 8 01:20:31UTC 4. Latest encap.txt on portal.ampr.org is from Jun 8 13:06:42UTC serial 43.054 5. Lynwood's public IP is O.K. on portal but NOT on my server.
I am seeing rip broadcasts but not comprising any data? Weird...
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
Your gateway commercial addresss keeps changing back and forth between two different addresses. From yesterday's logs:
Jun 7 00:15:13 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 71.178.210.39 to 173.66.138.32 Jun 7 02:15:15 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 173.66.138.32 to 71.178.210.39 Jun 7 08:15:14 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 71.178.210.39 to 173.66.138.32 Jun 7 10:15:13 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 173.66.138.32 to 71.178.210.39 Jun 7 11:15:13 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 71.178.210.39 to 173.66.138.32 Jun 7 12:15:14 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 173.66.138.32 to 71.178.210.39 Jun 7 13:15:14 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 71.178.210.39 to 173.66.138.32 Jun 7 14:15:14 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 173.66.138.32 to 71.178.210.39 Jun 7 18:15:15 <local0.info> amprgw ipipd[51724]: route changed [129]: 44.60.44.0/24: from 71.178.210.39 to 173.66.138.32
The portal FTP server has been refusing connections since about 1815 Pacific yesterday, so I don't have any newer encap file than that, but you're in it:
route addprivate 44.60.44/24 encap 173.66.138.32
- Brian
On Thu, Jun 08, 2017 at 05:49:50AM -0400, lleachii--- via 44Net wrote:
All,
I once again notice intermittent connection to AMPRNet for about 24 hours. When this happens:
- When I login into the /private page, I cannot see Encap.txt
- Each time, this is how I attempt to confirm I'm in the most recant Encap
- I'm not on Marius' map, and from my understanding of his OS (hi) he will
not receive packets if he doesn't have a route for me
I figure I'm not on Encap.txt. Can someone check?
Linux commands:
dynamic filter check: ipset test ipipfilter 71.178.210.39
check route: ip route get 44.60.44.0/24 from <your_AMPR_IP_on_router>
My encap file reads June 8, 00:20 UTC.
- Lynwood
KB3VWG
-rw-r--r-- 1 root root 31119 Jun 7 20:20 /etc/config/encap.txt
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Brian,
On my side, the IP changed around 18:00 UTC on Tuesday, June 6th.
Then, my IP changed to 71.178.210.39.
It NEVER switched back. Something's wrong...
- Lynwood KB3VWG
On 06/08/2017 08:37 AM, Brian Kantor wrote:
Your gateway commercial addresss keeps changing back and forth between two different addresses. From yesterday's logs:
's logs:
Lynwood, Marius.
1. Latest encap.txt generated by ampr-ripd is dated Jun 8 13:35:31UTC
2. Latest encap.txt from portal.ampr.org is dated Jun 8 13:23:13UTC serial 43.058
3. Lynwood's public IP is O.K. on portal but NOT in encap.txt file generated by ampr-ripd.
Seem that something got askew...
Best regards. --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
Some sudden unexpected changes with the encap file:
Chris has had to shut down the FTP server on the portal.
I've built a program to now extract the data that was in the encap file from the database itself.
I've had to reconstruct the format of the file. The differences are:
1) You now fetch the encap file from the private gateways area of the gw.ampr.org website (use wget) 2) The date format is now 'yyyy-mm-dd UTC' instead of yyyy/mm/dd 3) The version number in the header is now 00.000 and doesn't change 4) Subnet addresses are always presented as a full decimal quad. (eg, '44.60.44.0/24' instead of '44.60.44/24' 5) There is '# END (n rows from db)' at the end of the file 6) The file is now in sorted order by subnet 7) The file and routes are updated every 15 minutes
Even with these changes, the file should load into old software OK.
By the way, in the process I discovered that the following 14 subnets are routed but don't have their 'Tunnel' box checked in the portal. - Brian
[109]: 44.46.64.0/24: 104.131.81.118 [117]: 44.48.8.0/22: 96.82.54.108 [194]: 44.94.0.0/16: 141.224.128.8 [267]: 44.131.156.0/30: 82.0.212.67 [392]: 44.136.72.0/22: 220.233.86.207 [396]: 44.136.92.0/24: 220.233.86.207 [437]: 44.142.0.0/16: 141.75.245.225 [454]: 44.151.17.10/32: 89.95.154.240 [453]: 44.151.6.9/32: 109.234.161.28 [486]: 44.152.0.0/16: 201.211.91.93 [532]: 44.163.144.0/20: 141.75.245.225 [568]: 44.168.254.80/29: 90.63.239.151 [614]: 44.188.128.0/20: 188.93.56.29 [617]: 44.208.0.0/16: 94.101.48.134
Hi Brian,
- You now fetch the encap file from the private gateways area of the gw.ampr.org website (use wget)
- The date format is now 'yyyy-mm-dd UTC' instead of yyyy/mm/dd
- The version number in the header is now 00.000 and doesn't change
- Subnet addresses are always presented as a full decimal quad.
OK , in this moment it is:
# Current version: 00.000 2017-06-08 15:30:05 UTC .... ....
- There is '# END (n rows from db)' at the end of the file
# END (xxx rows from db)
- The file is now in sorted order by subnet
- The file and routes are updated every 15 minutes
very good!
Even with these changes, the file should load into old software OK.
I'll test soon...
By the way, in the process I discovered that the following 14 subnets are routed but don't have their 'Tunnel' box checked in the portal.
Strange things happened last night here, see the rrdtool report at:
http://44.134.32.240/pastday.png
RIP spoofing? Real or false 44 user bombed my GW, too.
73, gus
Sorry Gus, could not connect to that address from my home. - Brian
On Thu, Jun 08, 2017 at 06:29:05PM +0200, Gustavo Ponza wrote:
Strange things happened last night here, see the rrdtool report at:
http://44.134.32.240/pastday.png
RIP spoofing? Real or false 44 user bombed my GW, too.
73, gus
Something odd is happening... try in this other way:
http://i0ojj.mooo.com/pastday.png
gus
On 06/08/2017 06:34 PM, Brian Kantor wrote:
Sorry Gus, could not connect to that address from my home.
- Brian
On Thu, Jun 08, 2017 at 06:29:05PM +0200, Gustavo Ponza wrote:
Strange things happened last night here, see the rrdtool report at:
http://44.134.32.240/pastday.png
RIP spoofing? Real or false 44 user bombed my GW, too.
73, gus
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Yes, that looks unusual. Unfortunately, I don't have any netflow analysis tools (yet) that would allow a closer look at the traffic. - Brian On Thu, Jun 08, 2017 at 06:38:20PM +0200, Gustavo Ponza wrote:
Something odd is happening... try in this other way:
http://i0ojj.mooo.com/pastday.png
gus
On 06/08/2017 06:34 PM, Brian Kantor wrote:
Sorry Gus, could not connect to that address from my home.
- Brian
On Thu, Jun 08, 2017 at 06:29:05PM +0200, Gustavo Ponza wrote:
Strange things happened last night here, see the rrdtool report at:
http://44.134.32.240/pastday.png
RIP spoofing? Real or false 44 user bombed my GW, too.
73, gus
The FTP server is back up again now, I had to shut it down for a while as it was getting brute force attacked from several hundred different IP’s.
Chris
On 8 Jun 2017, at 16:39, Brian Kantor Brian@UCSD.Edu wrote:
Some sudden unexpected changes with the encap file:
Chris has had to shut down the FTP server on the portal.
I've built a program to now extract the data that was in the encap file from the database itself.
I've had to reconstruct the format of the file. The differences are:
- You now fetch the encap file from the private gateways area of the gw.ampr.org website (use wget)
- The date format is now 'yyyy-mm-dd UTC' instead of yyyy/mm/dd
- The version number in the header is now 00.000 and doesn't change
- Subnet addresses are always presented as a full decimal quad. (eg, '44.60.44.0/24' instead of '44.60.44/24'
- There is '# END (n rows from db)' at the end of the file
- The file is now in sorted order by subnet
- The file and routes are updated every 15 minutes
Even with these changes, the file should load into old software OK.
By the way, in the process I discovered that the following 14 subnets are routed but don't have their 'Tunnel' box checked in the portal.
- Brian
[109]: 44.46.64.0/24: 104.131.81.118 [117]: 44.48.8.0/22: 96.82.54.108 [194]: 44.94.0.0/16: 141.224.128.8 [267]: 44.131.156.0/30: 82.0.212.67 [392]: 44.136.72.0/22: 220.233.86.207 [396]: 44.136.92.0/24: 220.233.86.207 [437]: 44.142.0.0/16: 141.75.245.225 [454]: 44.151.17.10/32: 89.95.154.240 [453]: 44.151.6.9/32: 109.234.161.28 [486]: 44.152.0.0/16: 201.211.91.93 [532]: 44.163.144.0/20: 141.75.245.225 [568]: 44.168.254.80/29: 90.63.239.151 [614]: 44.188.128.0/20: 188.93.56.29 [617]: 44.208.0.0/16: 94.101.48.134
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
This is how I protect against brute force/DoS attacks... It might not be the best but I use it because it's effective and is handled at the kernel level. A lot of folks use fail-to-ban to block brute forcers but I use iptables and ipset to rate-limit them.
I create an ipset that I call hackers and then I rate-limit attempts to connect... too many attempts in the window (1 hour on my systems) and they go in the blacklist.
To implement it you have to define an IP set and then tell netfilter what to do with addresses matching the set... Here's how I set it up and how I handle stuff on the blacklist for my SSH port:
ipset -N hackers iphash timeout 21600
iptables -A INPUT -i $RED -p tcp --dport 22 -m set --match-set hackers src -j SET --add-set hackers src --exist
iptables -A INPUT -i $RED -p tcp -m set --match-set hackers src -j REJECT --reject-with tcp-reset
iptables -A INPUT -i $RED -m set --match-set hackers src -j DROP
Note: each command is a single line. Email may break them into multiple lines, I've put blank lines between the commands to make it easy to delineate one command from the next...
The first command creates a set called hacker with a timeout of 6 hours. Any ip added to the list come off in 6 hours. Works great because only the very active attackers will stay on the list.
The second command matches ips already on the list. If they're already on it it resets their timeout back to 21600 seconds (6 hours)
The third command resets TCP connections for ANY tcp attempt for IPs on the list
Th 4th command drops connectionless traffic like UDP or icmp from IPs on the list.
So how do they get on the list? Further down in my script where I have the allow input traffic to the machine in the interface I have the magic. The following is for my external internet facing interface for inbound SSH traffic on my gateway called RED ($RED in the script) (5 iptables commands):
iptables -A INPUT -i $RED -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -i $RED -p tcp --dport 22 -m recent --update --seconds 3600 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "AutoBlacklist: RED SSH Hackers"
iptables -A INPUT -i $RED -p tcp --dport 22 -m recent --update --seconds 3600 --hitcount 4 --rttl --name SSH --rsource -j SET --add-set hackers src
iptables -A INPUT -i $RED -p tcp --dport 22 -m recent --update --seconds 3600 --hitcount 4 --rttl --name --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -i $RED -p tcp --dport 22 -j ACCEPT
If I get 4 connections from any IP they go in the blacklist. I send them tcp resets to make them go away and so upstream routers like AMPR GW don't have to keep track of the connection.
The first command starts up the recent module The second command logs the connection attempt on the 4th attempt The third command adds the offending ip to the hackers IPSET list on the 4th attempt The fourth command sends a TCP-RESET on the 4th attempt The fifth command accepts their connection if it hasn't been reset by rule 4 (i.e the 1st, 2nd, or 3rd attempt)
The beauty of this over Fail-to-ban is there isn't a daemon monitoring the log, it works on connection attempt at the netfilter/kernel level and it's very effective. If you put this on your gateway (or any server) protecting the particular port you're interested in protecting it's very effective at preventing Brute Force/DoS attacks.
I hope someone finds this useful... I wrote a little about it in the past... if you google "self blocking script kiddies" you'll find an older iteration of this on my wordpress blog...
Tom Cardinal/N2XU/MSgt USAF (Ret)/BSCS/CASP, Security+ ce
On 6/8/2017 12:39, G1FEF via 44Net wrote:
The FTP server is back up again now, I had to shut it down for a while as it was getting brute force attacked from several hundred different IP’s.
Chris
On 8 Jun 2017, at 16:39, Brian Kantor Brian@UCSD.Edu wrote:
Some sudden unexpected changes with the encap file:
Chris has had to shut down the FTP server on the portal.
I've built a program to now extract the data that was in the encap file from the database itself.
I've had to reconstruct the format of the file. The differences are:
- You now fetch the encap file from the private gateways area of the gw.ampr.org website (use wget)
- The date format is now 'yyyy-mm-dd UTC' instead of yyyy/mm/dd
- The version number in the header is now 00.000 and doesn't change
- Subnet addresses are always presented as a full decimal quad. (eg, '44.60.44.0/24' instead of '44.60.44/24'
- There is '# END (n rows from db)' at the end of the file
- The file is now in sorted order by subnet
- The file and routes are updated every 15 minutes
Even with these changes, the file should load into old software OK.
By the way, in the process I discovered that the following 14 subnets are routed but don't have their 'Tunnel' box checked in the portal.
- Brian
[109]: 44.46.64.0/24: 104.131.81.118 [117]: 44.48.8.0/22: 96.82.54.108 [194]: 44.94.0.0/16: 141.224.128.8 [267]: 44.131.156.0/30: 82.0.212.67 [392]: 44.136.72.0/22: 220.233.86.207 [396]: 44.136.92.0/24: 220.233.86.207 [437]: 44.142.0.0/16: 141.75.245.225 [454]: 44.151.17.10/32: 89.95.154.240 [453]: 44.151.6.9/32: 109.234.161.28 [486]: 44.152.0.0/16: 201.211.91.93 [532]: 44.163.144.0/20: 141.75.245.225 [568]: 44.168.254.80/29: 90.63.239.151 [614]: 44.188.128.0/20: 188.93.56.29 [617]: 44.208.0.0/16: 94.101.48.134
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
All,
Here my iptables rule (I didn't want to install fail2ban):
# RATE LIMIT MULTIPLE SSH ATTEMPTS FOR FIVE MINUTES # iptables -I FORWARD -p tcp --dport 22 -i eth0.2 -m state --state NEW -m recent --name ssh --update --seconds 300 --hitcount 5 -j DROP # iptables -I FORWARD -p tcp --dport 22 -i eth0.2 -m state --state NEW -m recent --name ssh --set
- KB3VWG
PS: if this isn't open to the public, you can just change the port to something other than 22 - Security Through Obscurity at its best!
This is how I protect against brute force/DoS attacks
At 8:52AM Central time I get this: root@blackjack:/etc/firewall# ip route get 44.60.44.0/24 44.60.44.0 via 173.66.138.32 dev tunl0 src 44.98.63.6 cache window 840 root@blackjack:/etc/firewall#
--tom Tom Cardinal/N2XU/MSgt USAF (Ret)/BSCS/CASP, Security+ ce
On 6/8/2017 04:49, lleachii--- via 44Net wrote:
All,
I once again notice intermittent connection to AMPRNet for about 24 hours. When this happens:
- When I login into the /private page, I cannot see Encap.txt
- Each time, this is how I attempt to confirm I'm in the most recant Encap
- I'm not on Marius' map, and from my understanding of his OS (hi) he
will not receive packets if he doesn't have a route for me
I figure I'm not on Encap.txt. Can someone check?
Linux commands:
dynamic filter check: ipset test ipipfilter 71.178.210.39
check route: ip route get 44.60.44.0/24 from <your_AMPR_IP_on_router>
My encap file reads June 8, 00:20 UTC.
- Lynwood
KB3VWG
-rw-r--r-- 1 root root 31119 Jun 7 20:20 /etc/config/encap.txt
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-
Brian Kantor -
G1FEF -
Gustavo Ponza -
lleachii@aol.com -
marius@yo2loj.ro -
SP2L Tom -
Tom Cardinal